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Preface 


Logics have, for many years, laid claim to providing a formal basis for the study of 
artificial intelligence. With the depth and maturity of methodologies, formalisms, 
procedures, implementations, and their applications available today, this claim is 
stronger than ever, as witnessed by increasing amount and range of publications 
in the area, to which the present proceedings accrue. 

The European series of Workshops on Logics in Artificial Intelligence (or 
Journées Européennes sur la Logique en Intelligence Artificielle — JELIA) began 
in response to the need for a European forum for the discussion of emerging 
work in this burgeoning field. JELIA 2000 is the seventh such workshop in the 
series, following the ones held in Roscoff, France (1988); Amsterdam, Netherlands 
(1990); Berlin, Germany (1992); York, U.K. (1994); Evora, Portugal (1996); and 
Dagstuhl, Germany (1998). 

JELIA 2000 will take place in Malaga, Spain, from 29 September to 2 Oc- 
tober 2000. The workshop is organized and hosted by the Research Group of 
Mathematics Applied to Computing of the Department of Applied Mathematics 
of the University of Malaga. 

As in previous workshops, the aim is to bring together researchers involved in 
all aspects of logic in artificial intelligence. Additional sponsorship was provided 
by the ESPRIT NOE Compulog-Net. 

This volume contains the papers selected for presentation at the workshop 
along with abstracts and papers from the invited speakers. The programme 
committee selected these 23 papers, from 12 countries (Australia, Austria, Bel- 
gium, Canada, Finland, Germany, Hong Kong, Italy, The Netherlands, Portu- 
gal, Spain, and the United Kingdom), out of 60 submissions, from 22 countries 
(submissions were also received from Argentina, Brazil, Czech Republic, France, 
Japan, Mexico, Poland, Slovakia, Sweden, and Switzerland). We would like to 
thank all authors for their contributions as well as the invited speakers Johan 
van Benthem from the University of Amsterdam (The Netherlands), Thomas 
Eiter from the Vienna University of Technology (Austria), Reiner Hahnle from 
the Chalmers University of Technology (Sweden), and Frank Wolter from the 
University of Leipzig (Germany). 

Papers were reviewed by the programme committee members with the help 
of the additional referees listed overleaf. We would like thank them all for their 
valuable assistance. It is planned that a selection of extended versions of the 
best papers will be published in the journal Studia Logica, after being subjected 
again to peer review. 


September 2000 Gerd Brewka 
Inma P. de Guzman 

Manuel Ojeda-Aciego 

Luis Moniz Pereira 
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‘On Being Informed’: Update Logics for 
Knowledge States 


Johan van Benthem 


ILLC Amsterdam 


http://www.turing.wins.uva.nl/~johan/ 


Statements convey information, by modifying knowledge states of hearers and 
speakers. This dynamic aspect of communication goes beyond the usual role of 
logic as a provider of static ’truth conditions’. But it can be modelled rather 
nicely in so-called ’update logics’, which have been developed since the 1980s. 
These systems provide a fresh look at standard logic, letting the usual models 
undergo suitable changes as agents absorb the content of successive utterances or 
messages. This lecture is a brief Whig history of update logics, with an empha- 
sis on many-agent epistemic languages. We discuss straight update, questions 
and answers, and the delightful complexities of communication under various 
constraints. We hope to convey the attraction of giving a dynamic twist to well- 
known things, such as simple modal models, or basic epistemic formulas. 
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Considerations on Updates of Logic Programs 


Thomas Eiter, Michael Fink, Giuliana Sabbatini, and Hans Tompits 


Institut und Ludwig Wittgenstein Labor fiir Informationssysteme, TU Wien 
FavoritenstrafBe 9-11, A-1040 Wien, Austria 
{eiter,michael, giuliana,tompits}@kr.tuwien.ac.at 


Abstract. Among others, Alferes et al. (1998) presented an approach 
for updating logic programs with sets of rules based on dynamic logic 
programs. We syntactically redefine dynamic logic programs and investi- 
gate their semantical properties, looking at them from perspectives such 
as a belief revision and abstract consequence relation view. Since the ap- 
proach does not respect minimality of change, we refine its stable model 
semantics and present minimal stable models and strict stable models. 
We also compare the update approach to related work, and find that is 
equivalent to a class of inheritance programs independently defined by 
Buccafurri et al. (1999). 


1 Introduction 


In recent years, agent-based computing has gained increasing interest. The need 
for software agents that behave “intelligently” in their environment led to ques- 
tion for possibilities of equipping them with advanced reasoning capabilities. 

The research on logic-based AI, and in particular the work on logic program- 
ming, has produced a number of approaches and methods from which we can 
take advantage for accomplishing this goal (see e.g. [11]). It has been realized, 
however, that further work is needed for extending them to fully support that 
agents must adapt over time and adjust their decision making. 

In a simple (but as for currently deployed agent systems, realistic) setting, an 
agent’s knowledge base KB may be modeled as a logic program. The agent may 
now be prompted to adjust its KB after receiving new information in terms of an 
update U, which is a clause or a set of clauses that need to be incorporated into 
KB. Simply adding the rules of U to KB does not give a satisfactory solution 
in practice, and will result in inconsistency even in simple cases. For example, if 
KB contains the rulea< _ and U consists of the rule nota <—_ stating that a 
is not provable, then the union KB U U is not consistent under stable semantics 
(naturally generalized to programs with default negation in rule heads [21]), 
which is the predominating two-valued semantics for declarative logic programs. 

Most recently, several approaches for updating logic programs with (sets of) 
rules have been presented [2,5,17,13]. In particular, the concept of dynamic logic 
programs by Alferes et al., introduced in [2] and further developed in [3,5,4,20], 
has attracted a lot of interest. Their approach has its roots, and generalizes, 
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the idea of revision programming [22], and provides the basis for LUPS, a logic- 
programming based update specification language [5]. The basic idea behind the 
approach is that in case of conflicting rules, a rule r in U (which is assumed to 
be correct as of the time of the update request) is more reliable than any rule r’ 
in KB. Thus, application of r rejects application of r’. In the previous example, 
the rule nota — _ from U rejects the rulea — from KB, thus resolving the 
conflict by adopting that a is not provable. The idea is naturally extended to 
sequences of updates U;,...,U,, by considering the rules in more recent updates 
as more reliable. 

While uses and extensions of dynamic logic programming have been dis- 
cussed, cf. [5,4,20], its properties and relationships to other approaches and re- 
lated formalisms have been less explored (but see [4]). The aim of this paper is to 
shed light on these issues, and help us to get a better understanding of dynamic 
logic programming and related approaches in logic programming. 

The main contributions of our work can be summarized as follows. 


— We syntactically redefine dynamic logic programs to equivalent update pro- 
grams, for which stable models are defined. Update programs are slightly 
less involved and, as we believe, better reflect the working of the approach 
than the original definition of dynamic logic programs. For this, information 
about rule rejection is explicitly represented at the object level through re- 
jection atoms. The syntactic redefinition, which reduces the type of rules in 
update programs, is helpful for establishing formal results about properties. 

— We investigate properties of update programs. We consider them from the 
perspective of belief revision, and review different sets of postulates that 
have been proposed in this area. We view update programs as nonmonotonic 
consequence operators, and consider further properties of general interest. 
As it turns out, update programs (and thus dynamic logic programs) do 
not satisfy many of the properties defined in the literature. This is partly 
explained by the nonmonotonicity of logic programs and the causal rejection 
principle embodied in the semantics, which strongly depends on the syntax 
of rules. 

— Dynamic logic programs make no attempt to respect minimality of change. 
We thus refine the semantics of update programs and introduce minimal 
stable models and strict stable models. Informally, minimal stable models 
minimize the set of rules that need to be rejected, and strict stable models 
further refine on this by assigning rules from a later update higher priority. 

— We compare update programs to alternative approaches for updating logic 
programs [13,17] and related work on inheritance programs [9]. We find that 
update programs are equivalent to a class of inheritance programs. Thus, up- 
date programs (and dynamic logic programs) may be semantically regarded 
as fragment of the framework in [9], which has been developed independently 
of [2,5]. Our results on the semantical properties of update programs apply 
to this fragment as well. 


Due to space reasons, the presentation is necessarily succinct and proofs are 
omitted. More details will be given in the full version of this paper. 
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2 Preliminaries 


Generalized logic programs [21] consist of rules built over a set A of propositional 
atoms where default negation not is available. A literal, L, is either an atom A 
(a positive literal) or the negation not A of an atom A (a negative literal, also 
called default literal). For a literal L, the complementary literal, not L, is not A 
if L = A, and A if L = not A, for some atom A. For a set S of literals, not S' is 
given by not S = {not L | L € S}. We also denote by Lit, the set AU not A of 
all literals over A. 

A rule, r, is a clause of the form Lo — Ly,..., 2, where n > 0 and Lo may 
be missing, and each L; (0 < i < n) is a default literal, i-e., either an atom A 
or a negated atom not A. We call Lo the head of r and the set {Zj,...,L£,} the 
body of r. The head of r will also be denoted by H(r), and the body of r will be 
denoted by B(r). If the rule r has an empty head, then r is a constraint; if the 
body of r is empty and the head is non-empty, then r is a fact. We say that r 
has a negative head if H(r) = not A, for some atom A. The set Bt(r) comprises 
the positive literals of B(r), whilst B~(r) contains all default literals of B(r). 

By £, we denote the set of all rules over the set A of atoms. We will usually 
write £ instead of £, if the underlying set A is fixed. A generalized logic program 
(GLP) P over A is a finite subset of £4. If no rule in P contains a negative 
head, then P is a normal logic program (NLP); if no default negation whatsoever 
occurs in P, then P is a positive program. 

By an (Herbrand) interpretation we understand any subset J C A. The 
relation IJ — F for a literal L is defined as follows: 


— if L= Ais an atom, then ] — A iff Ae I; 
— if L = not A is a default literal, then J — not A iff I |- A. 


If f  L, then I is a model of L, and L is said to be true in I (if I A L, then L 
is false in I). For a set S of literals, JE S iff f ] L for all L € S. Accordingly, 
we say that I is a model of $. Furthermore, for a rule r, we define J - r iff 
I —© H(r) whenever I | B(r). In particular, if r is a contraint, then I — r iff 
I |- Bir). In both cases, if I — r, then I is a model of r. Finally, J — P for a 
program P iff f — r for allr € P. 

If a positive logic program P has some model, it has always a smallest Her- 
brand model, which we will denote by Im(P). If P has no model, for technical 
reasons it is convenient to set lm(P) = Lit. 

We define the reduct, P!, of a generalized program P w.r.t. to an Herbrand 
interpretation J as follows. P! results from P by 


1. deleting any rule r in P such that either J E B-(r), or I — A(r) if H(r) = 
not A for some atom A; and 

2. replacing any remaining rule r by r‘, where r! = H(r) — Bt(r) if H(r) is 
positive, and r? = — B*(r) otherwise (r/ is called the reduct of r). 


Observe that P/ is a positive program, hence Im(P’) is well-defined. We say 
that I is a stable model of P iff lm(P!) = I. By S(P) we denote the set of all 
stable models of P. A program is satisfiable if S(P) 4 0. 
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We regard a logic program P as the epistemic state of an agent. The given 
semantics is used for assigning a belief state to any epistemic state P in the 
following way. 

Let I C A be an Herbrand interpretation. Define 


Bela(l) = {r €La|I Er}. 


Furthermore, for a class Z of interpretations, define Bel_4(Z) = (),-z Bela(J). 


Definition 2.1. For a logic program P, the belief state, Bel,s(P), of P is given 
by Bels(P) = Bel,(S(P)), where S(P) is the collection of all stable models 
of P. 


We write PE r ifr € Bel,(P). As well, for any program Q, we write PE, Q 
if P Ey q for all g € Q. Two programs, P; and P2, are equivalent (modulo the 
set A), symbolically P, =, P», iff Bel,(P,) = Bel,(P2). Usually we will drop 
the subscript “A” in Bel,(-), -.4, and =, if no ambiguity can arise. 

An alternative for defining the belief state would consist in considering brave 
rather than cautious inference, which we omit here. 

Belief states enjoy the following natural properties: 


Theorem 2.1. For every logic program P, we have that: 
1. PC Bel(P); 
2. Bel(Bel(P)) = Bel(P); 
3. {r|I Er, for every interpretation I} C Bel(P). 


Clearly, the belief operator Bel(-) is nonmonotonic, i.e., in general P, C P, 
does not imply Bel(P,) C Bel(P2). 


3 Update Programs 


We introduce a framework for update programs which simplifies the approach 
introduced in [2]. By an update sequence, P, we understand a series P;,..., Py 
of general logic programs where each P; is assumed to update the information 
expressed by the initial section P,,...,P;-1. This update sequence is translated 
into a single program P’ representing the update information given by P. The 
“intended” stable models of P are identified with the stable models of P’ (modulo 
the original language). 

Let P = P,,..., Pp be an update sequence over a set of atoms A. We assume 
a set of atoms A* extending A by new, pairwise distinct atoms rej(-), A;, and 
A; , where A € A and 1 <i <n. Furthermore, we assume an injective naming 
function N(-,-), which assigns to each rule r in a program P; a distinguished 
name, N(r, P;), obeying the condition N(r,P;) # N(r’,P;) whenever i F j. 
With a slight abuse of notation we shall identify r with N(r, P;) as usual. 
Definition 3.1. Given an update sequence P = P,,...,P, over a set of atoms 


A we define the update program Pg = Pi <...< P, over A* consisting of the 
following items: 
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1. all constraints in P;, 1 <i<n; 
2. for eachr€ Pj, 1 <ic<n: 


A; — B(r), not rej(r) if H(r) = A; 
A; <— Bir), not rej(r) if H(r) = not A; 


&. for eachr€ Pj, l<i<n: 


(r), Ara if H(r) = A; 
(r), Agqa if H(r) = not A; 


rej (r) 


—B 
rej(r) —B 


4. for each atom A occurring in P (1 <i<n): 


Ap Aga A; — Ajit; A+ Aj; <— Aj, Aj. 
Informally, this program expresses layered derivability of an atom A or a 
literal not A, beginning at the top layer P,, downwards to the bottom layer P,. 
The rule r at layer P; is only applicable if it is not refuted by a literal L that is 
incompatible with H(r) derived at a higher level. Inertia rules propagate a locally 
derived value for A downwards to the first level, where the local value is made 
global; the constraint — A,, A; is used here in place of the rule not A Aj. 

Similar to the transformation given in [2], Pg is modular in the sense that 
the transformation for P’ = P,,..., Py, Py+1 augments Pa = P, <...< P, only 
with rules depending on n+ 1. 

We remark that Pg, can obviously be slightly simplified, which is relevant for 
implementing our approach. All literals not rej(r) in rules with heads A, or AZ, 
can be removed: since rej(r) cannot be derived, they evaluate to true in each 
stable model of Pg. Thus, no rule from P,, is rejected in a stable model of Pa, 
i.e., all most recent rules are obeyed. 

The intended models of an update sequence P = P,,...,P, are defined in 
terms of the stable models of Pg. 


Definition 3.2. Let P= P,,...,P, be an update sequence over a set of atoms 
A. Then, S C A is an (update) stable model of P iff S = S'N A for some stable 
model S” of Pa. The collection of all update stable models of P is denoted by 
U(P). 


Following the case of single programs, an update sequence P = P,,..., Py is 
regarded as the epistemic state of an agent, and the belief state Bel(P) is given 
by Bel(U(P)). As well, the update sequence P is satisfiable iff U(P) 4 0. 

To illustrate Definition 3.2, consider the following example, taken from [2]. 


Example 3.1. Consider the update of P, by P2, where 


P= { r,: sleep — nottu_on, rg: tu.on—, 3: watch_tv— tu_on rs 


P,= { ra: not tv_on — power_failure, rs: power_failure — ie 
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The single stable model of P = P,, P2 is, as desired, S = {power_failure, sleep}, 
since S’ is the only stable model of Pa: 


v= { power_failures, power_failure,, power_failure, 


tu_ony , tu_on, , rej(r2), sleep,, sleep te 
If new information arrives in form of the program P3: 
P3= { re: not power_failure — ts 


then the update sequence P;, P2, P; has the stable model T = {tv_on, watch_tv}, 
generated by the model T”’ of P, < Py < Ps: 


T= { power_failure; , power_failure, , power_failure; , 


rej (75), tu_on,, tu_on, watch_tv,, watch_tv ie 


Next, we discuss some properties of our approach. The first result guarantees 
that stable models of P are uniquely determined by the stable models of Pa. 


Theorem 3.1. Let P = P,,...,P, be an update sequence over a set of atoms 
A, and let S,T be stable models of Pa. Then, SQA=TOA only if S=T. 


If an update sequence P consists of a single program, the notion of update 
stable models of P and regular stable models of P coincide. 


Theorem 3.2. Let P be an update sequence consisting of a single program P,, 
i.e, P= P,. Then, U(P) = S(P,). 


Stable models of update sequences can also be characterized in a purely 
declarative way. To this end, we introduce the following concept. 

For an update sequence P = P,,..., P, over a set of atoms A and S C A, we 
define the rejection set of S by Rej(S,P) = Ul_, Rej,;(S, P), where Rej,,($, P) = 
0, and, forn >i>1, 


Rej ,(S, P) = {r € P; | ar’ € P; \ Rej,;(S, P), for some j € {i+1,...,n}, 
such that H(r’) = not H(r) and S —& B(r) U B(r’)}. 


That is, Rej(S,P) contains those rules from P which are rejected on the basis 
of rules which are not rejected themselves. 

We obtain the following characterization of stable models, mirroring a similar 
result given in [2]. 


Theorem 3.3. Let P = P,,...,P, be an update sequence over a set of atoms 
A, and let S C A. Then, S is a stable model of P iff S = lm((P \ Rej(S,P))°). 
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4 Principles of Update Sequences 


In this section, we discuss several kinds of postulates which have been advocated 
in the literature on belief change and examine to what extent update sequences 
satisfy these principles. This issue has not been addressed extensively in previ- 
ous work [2,3]. We first consider update programs from the perspective of belief 
revision, and assess the relevant postulates from this area. Afterwards, we briefly 
analyze further properties, like viewing update programs as nonmonotonic con- 
sequence operators and other general principles. 


4.1 Belief Revision 


Following [14], two different approaches to belief revision can be distinguished: 
(i) immediate revision, where the new information is simply added to the current 
stock of beliefs and the belief change is accomplished through the semantics of 
the underlying (often, nonmonotonic) logic; and (ii) logic-constrained revision, 
where the new stock of beliefs is determined by a nontrivial operation which 
adds and retracts beliefs, respecting logical inference and some constraints. 

In the latter approach, it is assumed that beliefs are sentences from some 
given logical language £g which is closed under the standard boolean connec- 
tives. A belief set, K, is a subset of Lg which is closed under a consequence 
operator Cn(-) of the underlying logic. A belief base for K is a subset B C K 
such that kK = Cn(B). A belief base is a special case of an epistemic state [10], 
which is a set of sentences E representing an associated belief set K in terms of 
a mapping Bel(-) such that K = Bel(E), where E need not necessarily have the 
same language as K. 

In what follows, we first introduce different classes of postulates, and then 
we examine them with respect to update sequences. 


AGM Postulates One of the main aims of logic-constrained revision is to char- 
acterize suitable revision operators through postulates. Alchourrén, Gardenfors, 
and Makinson (AGM) [1] considered three basic operations on a belief set K: 


— expansion K + ¢, which is simply adding the new information ¢ € Lg to K; 

— revision K x ¢, which is sensibly revising K in the light of ¢ (in particular, 
when K contradicts ¢); and 

— contraction K — ¢, which is removing ¢ from K. 


AGM presented a set of postulates, Kx1—-Kx8, that any revision operator « map- 
ping a belief set kK C Lp and a sentence @ € Le into the revised belief set 
K x @ should satisfy. If, following [10,8], we assume that K is represented by an 
epistemic state E, then the postulates Kx1—Kx8 can be reformulated as follows: 


(K1) Ex ¢ represents a belief set. 
(K2) ¢€ Bel(E x 9). 
(K3) Bel(E x ¢) C Bel(E + 9). 
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(K4) 7=¢ ¢ Bel(£) implies Bel(E + ¢) C Bel(E x @). 

(K5) L € Bel(E x ¢) iff ¢ is unsatisfiable. 

(K6) ¢) = ¢2 implies Bel(E x 61) = Bel(E x ¢2). 

(KT) Bel(Ex($A¥)) C Bel((B+4) +¥). 

(K8) -~ ¢ Bel(E x ¢) implies Bel((E x ¢) +) C Bel(Ex (PA Y)). 


Here, Ex¢ and E+¢ is the revision and expansion operation, respectively, ap- 
plied to E. Informally, these postulates express that the new information should 
be reflected after the revision, and that the belief set should change as little 
as possible. As has been pointed, this set of postulates is appropriate for new 
information about an unchanged world, but not for incorporation of a change to 
the actual world. Such a mechanism is addressed by the next set of postulates, 
expressing update operations. 


Update Postulates For update operators Bo ¢ realizing a change ¢ to a belief 
base B, Katsuno and Mendelzon [18] proposed a set of postulates, Ux1—Ux8, 
where both ¢ and B are propositional sentences over a finitary language. For 
epistemic states E, these postulates can be reformulated as follows. 


(U1) ¢€ Bel(Eo¢). 

(U2) ¢€ Bel(E) implies Bel(E'o ¢) = Bel(E). 

(U3) If Bel(£) is consistent and ¢ is satisfiable, then Bel(E © ¢) is consistent. 
(U4) If Bel(E) = Bel(E’) and ¢= y, then Bel(E'o ¢) = Bel(E oy). 

(US) Bel(Eo(6.¥)) C Bel((Eo 4) +4). 

(U6) If Ge Bel(E ow) and yj € Bel(E¢ ), then Bel(E o ¢) = Bel(E oy). 
(U7) If Bel(E) is complete, then Bel(Eo(WVw"')) C Bel(Eow)A Bel(Eoy’)).4 
(U8) Bel((EV E’) oy) = Bel((Eoy)V (E’ oy). 


Here, conjunction and disjunction of epistemic states are presumed to be 
definable in the given language (like, e.g., in terms of intersection and union of 
associated sets of models, respectively). 

The most important differences between (K1)—(K8) and (U1)—(U8) are that 
revision, if @ is compatible with FE, should yield the same result as expansion 
E + ¢, which is not desirable for update in general, cf. [24]. On the other hand, 
(U8) says that if FE can be decomposed into a disjunction of states (e.g., models), 
then each case can be updated separately and the overall results are formed by 
taking the disjunction of the emerging states. 


Iterated Revision Darwiche and Pearl [10] have proposed postulates for iter- 
ated revision, which can be rephrased in our setting as follows (we omit paren- 
theses in sequences (EF x 1) * bg of revisions): 


(C1) If v2 € Bel(y1), then Bel(E x wo * v1) = Bel(E x 1). 
(C2) If aw. € Bel(w1), then Bel(E x yy * We) = Bel(E x y2). 


! A belief set K is complete iff, for each atom A, either A € K or nA € K. 
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(C3) If w € Bel(E xy), then v2 € Bel(E * Wo * v1). 

(C4) If awe ¢ Bel(E x1), then Wy ¢ Bel(E x wy * U1). 

(C5) If al tD) E Bel(E x 1) and wy ¢ Bel(E x w2), then Wy ¢ Bel(E xv * We). 
(C6) If, € Bel(Ex1) and -y, € Bel(E x2), then 7W € Bel(Exw1*y2). 


Another set of postulates for iterated revision, corresponding to a sequence 
E of observations, has been formulated by Lehmann [19]. Here each observation 
is a sentence which is assumed to be consistent (i.e., falsity is not observed), and 
the epistemic state E has an associated belief set Bel(E£). Lehmann’s postulates 
read as follows, where E, E’ denote sequences of observations and “,” stands for 
concatenation: 


(11) Bel(£) is a consistent belief set. 

(12) ¢€ Bel(E, ¢). 

(13) If 7 € Bel(E, ¢), then ¢ > ~ € Bel(E). 

(14) If ¢ € Bel(E£), then Bel(E, ¢, E’) = Bel(E, E). 

(15) Ifqt ¢@ then Bel(E£, ¢,~, E’) = Bel(E, 7, E’). 

(16) If -W ¢ Bel(E,¢), then Bel(E, ¢,~, E’) = Bel(E, ¢,¥, E’). 
(17) Bel(E,7¢, 6) C Cn(E + 4). 


Analysis of the Postulates In order to evaluate the different postulates, we 
need to adapt them for the setting of update programs. Naturally, the epistemic 
state P = P,,...,P, of an agent is subject to revision. However, the associ- 
ated belief set Bel(P) (C £L,) does not belong to a logical language closed 
under boolean connectives. Closing £4 under conjunction does not cause much 
troubles, as the identification of finite GLPs with finite conjunctions of clauses 
permits that updates of a GLP P by a program P, can be viewed as the update 
of P with a single sentence from the underlying belief language. Ambiguities 
arise, however, with the interpretation of expansion, as well as the meaning of 
negation and disjunction of rules and programs, respectively. 

Depending on whether the particular structure of the epistemic state E 
should be respected, different definitions of expansion are imaginable in our 
framework. At the “extensional” level of sentences, represented by a program 
or sequence of programs P, Bel(P + P’) is defined as Bel(Bel(P) U P’). At 
the “intensional” level of sequences P = Pi,...,P,, Bel(P + P’) could be 
defined as Bel(P,,...,P, U P’). An intermediate approach would be defining 
Bel(P + P’) = Bel,(PaU P’). We adopt the extensional view here. Note that, 
in general, adding P’ to Bel(P) does not amount to the semantical intersection 
of P’ and Bel(P) (nor of P and P’, respectively). 

As for negation, we might interpret the condition ~¢ ¢ Bel(E) (or = ¢ 
Bel(Ex@) in (K4) and (K8)) as satisfiability requirement for E+¢ (or (Exd)+y). 

Disjunction V of rules or programs (as epistemic states) appears to be mean- 
ingful only at the semantical level. The union S(P;)US(P2) of the sets of stable 
models of programs P; and Pz may be represented syntactically through a pro- 
gram P3, which in general requests an extended set of atoms. We thus do not 
consider the postulates involving V. 


BR 
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Postulate Interpretation Postulate holds 


(K1) (P;, P2) represents a belief set yes 
(K2), (U1)|P2 C Bel( Pi, P2) yes 

(U2) Bel(P2) C Bel(P;) implies Bel(P,, P2) = Bel(P;) no 
| (K3) — [Bel(P1, P2) C Bel(Bel(P,) U P2) yes 

(U3) If P,; and P2 are satisfiable, then (P, P2) is satisfiable no 

(K4) If Bel(P,) U P2 has a stable model, then no 
| Bel(P1) U P2) C Bel(P1, P2) 

(K5) (P;, P2) is unsatisfiable iff P2 is unsatisfiable no 
(K6), (U4)|P; = Pj and P = P3 implies (P,, P2) = (Pi, P:) no 
(K7), (US)|Bel(Pi, Py U Ps) © Bel(Bel(Pi, Pa) U Ps) yes 


(U6) If Bel(P3) C Bel(P;, P2) and Bel(P2) C Bel(P,, Ps), no 
then Bel(P,, P2) = Bel(Pi, P3) 
(K8) If Bel(P,, Pz) U P3 is satisfiable then no 
Bel(Bel(P1, P2) U P3) C Bel(Pi, Po U Ps) 


Table 1. Interpretation of Postulates (K1)—(K8) and (U1)-(U6). 


Given these considerations, Table 1 summarizes our interpretation of postu- 
lates (K1)—(K8) and (U1)-(U6), together with indicating whether the respective 
property holds or fails. We assume that P, is a nonempty sequence of GLPs. 

Thus, apart from very simple postulates, the majority of the adapted AGM 
and update postulates are violated by update programs. This holds even for the 
case where P; is a single program. In particular, Bel(P,, P2) violates discrimi- 
nating postulates such as (U2) for update and (K4) for revision. In the light of 
this, update programs neither have update nor revision flavor. 

We remark that the picture does not change if we abandon extensional expan- 
sion and consider the postulates under intensional expansion. Thus, also under 
this view, update programs do not satisfy minimality of change. 

The postulates (C1)—(C6) and (I1)—(I7) for iterated revision are treated in 
Table 2. Concerning Lehmann’s [19] postulates, (13) is considered as the pendant 
to AGM postulate Kx3. In a literal interpretation of (I3), we may, since the 
belief language associated with GLPs does not have implication, consider the 
case where w is a default literal Lo and ¢ = LD; A--- A Lx is a conjunction of 
literals L;, such that ¢ = w corresponds to the rule L9 — Lj4,..., Lx. Since the 
negation of GLPs is not defined, we do not interpret (17). 

Note that, although postulate (C3) fails in general, it holds if P; contains a 
single rule. Thus, all of the above postulates except C4 fail, already if P, is a 
single logic program, and, with the exception of C3, each change is given by a 
single rule. 

A question at this point is whether, after all, the various belief change pos- 
tulates from above are meaningful for update programs. 

We can view the epistemic state P = P,,...,P, of an agent as a prioritized 
belief base in the spirit of [7,23,6]. Revision with a new piece of information Q is 
accomplished by simply changing the epistemic state to P = P,,...,P,,Q. The 
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Postalate] Interpretation ______]Postulate hoi 

(C1) |If P3 C Bel(P2), then Bel(P,, P3, P2) = Bel(P1, P2) 

(C2) |If S - Ps, for all S € S(P2), then Bel(P:, P3, P2) = no 
Bel(P, P2) 

, © Bel(P;, P2), then P; © Bel(Pi, Ps, Pa) 

(C4) |If S — P3 for some S € S(Pi, P2), then S — P3 for yes 
some S € S(Pi, Ps, P2) 

(C5) If S A Ps for all S € S(Pi, Pz) and Pz Z Bel(P,, Ps), no 
then P2 Z Bel(P1, P2, P3) 

(C6) |If S F Ps for all S € S(P,, P2) and S  P» for all no 
S € S(P1, P3), then S - Py» for all S € S(Pi, Po, P3) 

(I1) |Bel(P,) is a consistent belief set no 

(12) |P2 C Bel(Pi, P2) yes 

(13) [If Lo — € Bel(Pi, {Li,..., Lx}), then yes 
Lo — In, eates Lr € Bel(P1) 

(14) If P2 C Bel(P,), then no 
Bel( Pi; Poy Pry <9. Pa) = Bell Pi, Pageus, PL) 

(15) {If Bel(P3) C Bel(P2), then no 
Bel(Pi, Pp, P3, P,, ery P,)=Bel(Pi, P3, P,, eee Pr) 

(16) If S —E P3 for some S € S(Pi, P2), then no 
Bel(Pi, P2, P3, Pa,..., Pr) = Bel(Pi, P2, Pau 
Pa Pindr te) 


Table 2. Interpretation of Postulates (C1)—(C6) and (I1)-(I6). 


change of the belief base is then automatically accomplished by the nonmono- 
tonic semantics of a sequence of logic programs. Under this view, updating logic 
programs amounts to an instance of the immediate revision approach. 

On the other hand, referring to the update program, we may view the belief 
set of the agent represented through a pair (P,.A) of a logic program P and 
a (fixed) set of atoms A, such that its belief set is given by Bel(P). Under 
this view, a new piece of information Q is incorporated into the belief set by 
producing a representation, (P’,.A), of the new belief set, where P’ = PQ. 
Here, (a set of) sentences from an extended belief language is used to characterize 
the new belief state, which is constructed by a nontrivial operation employing the 
semantics of logic programs. Thus, update programs enjoy to some extent also 
a logic-constrained revision flavor. Nonetheless, as also the failure of postulates 
shows, they are more an instance of immediate than logic-constrained revision. 
What we naturally expect, though, is that the two views described above amount 
to the same at a technical level. However, as we shall demonstrate below, this is 
not true in general. 


4.2 Further Properties 


Belief revision has been related in [14] to nonmonotonic logics by interpreting it 
as an abstract consequence relation on sentences, where the epistemic state is 
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fixed. In the same way, we can interpret update programs as abstract consequence 
relation / on programs as follows. For a fixed epistemic state P and GLPs P, 
and P32, we define 


P, Wp Po if and only if P, C Bel(P, P,), 


i.e., if the rules P2 are in the belief state of the agent after update of the epistemic 
state with P. 

Various properties for nonmonotonic inference operations have been identi- 
fied in the literature (see, e.g., [14]). Among them are Cautious Monotonicity, 
Cut, (Left) Conjunction, Rational Cautious Monotonicity, and Equivalence. Ex- 
cept for Cut, none of these properties hold. We recall that Cut denotes the 
following schema: 


ANB Aech Bae O APR Bi ARABS 
Ak pC 


Additionally, we can also identify some very elemental properties which, as 
we believe, updates and sequences of updates should satisfy. The following list of 
properties is not developed in a systematic manner, though, and is by no means 
exhaustive. Update programs do enjoy, unless stated otherwise, these properties. 


Addition of Tautologies: Ifthe program P2 contains only tautological clauses, 
then (P,, P2) = Py. 

Initialization: (0, P) = P. 

Idempotence: (P, P) = P. 

Idempotence for Sequences: (P,, P2, P2) = (Pi, P2). 

Update of Disjoint Programs: If P = P; U P> is a union of programs P,, P2 
on disjoint alphabets, then (P, P3) = (Pi, P3) U (Pe, Ps). 

Parallel updates: If P) and P3 are programs defined over disjoint alphabets, 
then (P,, Po) U (Pr, Ps) = (P,, Po U P3). ( Fails.) 

Noninterference: If P: and P3 are programs defined over disjoint alphabets, 
then (Pi, Po, P3) — (Pi, Pz, P2). 

Augmented update: If P) C P3 then (P;, P2, P3) = (Pi, Ps). 


As mentioned before, a sequence of updates P = P,,...,P, can be viewed 
from the point of view of “immediate” revision or of “logic-constrained” re- 
vision. The following property, which deserves particular attention, expresses 
equivalence of these views (the property is formulated for the case n = 3): 


Iterativity: For any epistemic state P,; and GLPs Pp» and P3, it holds that 
Pid Pod P3 =, (P, <1 P2) <| P3. 


However, this property fails. Informally, soundness of this property would 
mean that a sequence of three updates is a shorthand for iterated update of a 
single program, i.e., the result of P; <P, is viewed as a singleton sequence. Stated 
another way, this property would mean that the definition for P, < P, < P3 can 
be viewed as a shorthand for the nested case. Vice versa, this property reads as 
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possibility to forget an update once and for all, by incorporating it immediately 
into the current belief set. 

For a concrete counterexample, consider P; = 0, P2 = {a<— , nota< }, 
P; ={a< }. The program Pz = P; < P2 < P3 has a unique stable model, in 
which a is true. On the other hand, (P; <.P2)<1P3 has no stable model. Informally, 
while the “local” inconsistency of P2 is removed in P; < P2 < P3 by rejection of 
the rule nota — _ via P3, a similar rejection in (P; <P) < P3 is blocked because 
of a renaming of the predicates in P; <P. The local inconsistency of P2 is thus 
not eliminated. 

However, under certain conditions, which exclude such possibilities for local 
inconsistencies, the iterativity property holds, given by the following result: 


Theorem 4.1. Let P = P,,..., Pn, n > 2, be an update sequence on a set of 
atoms A. Suppose that, for any rules r1,r2 € Pi, i < n, such that H(r1) = 
not H(r2), the union B(r1)U B(r2) of their bodies is unsatisfiable. Then: 


(--- (Pi < Po) d P3)-++<d Ph-1) d Ph =a Pi dd Po < P3 +++ Ph. 


5 Refined Semantics and Extensions 


Minimal and Strict Stable Models Even if we abandon the AGM view, 
update programs do intuitively not respect minimality of change, as a new set 
of rules P, should be incorporated into an existing program P; with as little 
change as possible. 

It appears natural to measure change in terms of the set of rules in P,; which 
are abandoned. This leads us to prefer a stable model S; of P = P,, Pp over 
another stable model 53 if 5; satisfies a larger set of rules from P; than So. 


Definition 5.1. Let P = P,,...,P, be a sequence of GLPs. A stable model 
SEU(P) is minimal iff there is no T € U(P) such that Rej(T, P) C Rej(S, P). 


Example 5.1. Consider Py = {ri : nota — }, Po = {ro : a <— notc}, and 
P3 = {r3: c— notd, rg: d <— notc }. Then (P,, P2) has the single stable 
model {a}, which rejects the rule in P;. The sequence (P;, P2, P3) has two stable 
models: S; = {c} and Sp = {a,d}. S; rejects no rule, while S2 rejects the rule 
r,. Thus, S is preferred to Sj and S$; is minimal. 


Minimal stable models put no further emphasis on the temporal order of 
updates. Rules in more recent updates may be violated in order to satisfy rules 
from previous updates. Eliminating this leads us to the following notion. 


Definition 5.2. Let S,S’ €U(P) for an update sequence P = Py,..., Py. Then, 
S is preferred to S” iff some i € {1,...,n} exists such that (1) Rej,;(S,P) C 
Rej;(S", P), and (2) Rej;(S’, P) = Rej,(S,P), for all j =i+1,...,n. A stable 
model S of P is strict, if no S’ © U(P) exists which is preferred to S. 
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Example 5.2. Consider P = P,, Pz, P3, Ps, where P; = {r1: nota }, Pp = 
{ro : a — notc}, P3 = {rg : note — }, and Py = {ra : c — notd, 
rs: d<— notc }. Then, P has two stable models, namely S; = {c} and Sy = 
{a,d}. We have Rej($1,P) = {rs} and Rej(S2,P) = {ri}. Thus, Rej(S1, P) 
and Rej(.S2, P) are incomparable, and hence both S$; and S2 are minimal stable 
models. However, compared to Sz in S; the more recent rule of P3 is violated. 
Thus, S2 is the unique strict stable model. 


Clearly every strict stable model is minimal, but not vice versa. Unsurpris- 
ingly, minimal and strict stable models do not satisfy AGM minimality of change. 

The trade-off for epistemic appeal is higher computational complexity than 
for arbitrary stable models. Let Belmin(P) (resp., Belsir(P)) be the set of 
beliefs induced by the collection of minimal (resp., strict) stable models of 
Pee Pi oka 


Theorem 5.1. Given a sequence of programs P = P,, Po,..., Pn over a set of 
atoms A, deciding whether 

1. P has a stable model is NP-complete; 

2. L € Bel(P) for a given literal L is coNP-complete; 

3. L € Belmin(P) (resp. L € Belstr(P)) for a given literal L is ITP -complete. 


Similar results have been derived by Inoue and Sakama [17]. The complexity 
results imply that minimal and strict stable models can be polynomially trans- 
lated into disjunctive logic programming, which is currently under investigation. 


Strong Negation Update programs can be easily extended to the setting of 
generalized extended logic programs (GELPs), which have besides not also 
strong negation — as in [21]. Viewing, for A € A, the formula —A as a fresh 
atom, the rules not A — 7A and not7=A «< A emulate the interpretation of 
— in answer set semantics (cf., e.g., [2]). More precisely, the consistent answer 
sets of a GELP P correspond one-to-one to the stable models of P™, which is P 
augmented with the emulation rules for —A. Answer sets of a sequence of GELPs 
P= P,,...,P, can then be defined through this correspondence in terms of the 
stable models of P” = Py’,...,P,', such that Bel(P) = Bel(P”). 

Like for dynamic logic programs [3], P~ can be simplified by removing some 
of the emulation rules. Let C-R(P) be the set of all emulation rules for atoms A 
such that —A occurs in some rule head of P. 


Theorem 5.2. For any sequence of GELPs P = P\,..., Pn, over A, SCAU 
{=A | A € A} is an answer set of P iff S€U(Pi,...,Pr-1, Px UCR(P)). 


First-Order Programs The semantics of a sequence P = P,,..., Py, of first- 
order GLPs, i.e., where A consists of nonground atoms in a first order-language, 
is reduced to the ground case by defining it in terms of the sequence of instanti- 
ated programs P* = Pi,...,P* over the Herbrand universe of P as usual. That 
is, U(P) = U(P*). The definition of update program Pz can be easily general- 
ized to non-ground programs, such that Ps = P* 4, i.e., Ps faithfully represents 
the update program for P*. 
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6 Related Work 


Dynamic Logic Programming Recall that our update programs syntactically 
redefine dynamic logic programs for update in [2,5], which generalize the idea of 
updating interpretations through revision programs [22]. As we feel, they more 
transparently reflect the working behind this approach. 

The major difference between our update programs and dynamic logic pro- 
grams is that the latter determine the values of atoms from the bottom level P; 
upwards towards P,,, using interia rules, while update programs determine the 
values in a downward fashion. 

Denote by ®@P = Pi @---@P, the dynamic logic program of [2] for updating 
P, with P2,...,P, over atoms A, which is a GLP over atoms Agyn D A. For 
any model M of P,, in A, let 


Rejected(M, P) = U;_.{r € B; | ar’ € Pj, for some j € {¢+1,...,n}, such 
that H(r’) = not H(r) A S & Bir) U B(r’)}, 
Defaults(M, P) = {not A|VreP: H(r)=AS> ME Bir)}. 


Stable models of BP, projected to A, are semantically characterized as follows. 


Definition 6.1. For a sequence P = P,,...,P, of GLPs over atoms A, an 
interpretation N C Adyn is a stable model of @P iff M = NMA is a model of 
U such that 


M = Im(P \ Rejected(M, P) U Defaults(M, P)). 


Here, literals not A are considered as new atoms, where implicitly the constraint 
<— A, not A is added. Let us call any such M a dynamic stable model of P. 

As one can see, we may replace Rej(.S, P) in Theorem 3.3 by Rejected(S, P) 
and add all rules in Defaults(S, P), as they vanish in the reduction by S$. How- 
ever, this implies that update and dynamic stable models coincide. 


Theorem 6.1. For any sequence P = P,,..., Pn of GLPs over atoms A, S CA 
is a dynamic stable model of P iff S €U(P). 


Inheritance Programs A framework for logic programs with inheritance is 
introduced in [9]. In a hierarchy of objects 01,..., On, represented by a disjunctive 
extended logic program P),...,P, [15], possible conflicts in determining the 
properties of 0; are resolved by favoring rules which are more specific according 
to the hierarchy, which is given by a (strict) partial order < over the objects. 

If we identify o; with the indexed program P,, an inheritance program consists 
of a set P = {P,,...,P,} of programs over atoms A and a partial order < on 
P. The program P(P;) for P; (as an object) is given by P(P;) = {P;}U {P; | 
P, < P;}, ie., the collection of programs at and above P;. 

The semantics of P(P;) is defined in terms of answer sets. In the rest of this 
section, we assume that any program P; € P is disjunction-free and we simplify 
definitions in [9] accordingly. Let, for each literal L of form A or 4A, denote aL 
its opposite, and let Lit, = AU{7AA | Ae A}. 
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Definition 6.2. Let I C Lit, be an interpretation and r € P;. Then, r is 
overridden in I, if (1) I — Bir), (2) a~H(r) € I, and (8) there exists a rule 
r, € P, for some P; < P; such that H(r1) = 7H (r). 


An interpretation J C Lit, is a model of P, if I satisfies all non-overridden 
rules in P and the constraint ~ A, not A for each atom A € A; moreover, I is 
minimal if it is the least model of all these rules. Answer sets are now as follows. 


Definition 6.3. A model M of P = P(P;), is a DLP<-answer set of P iff M 
is a minimal model of PM, where PM = {r € P |r is not overridden in M}™ 
is the reduct of P by M. 


It is natural to view an update sequence P = P,...,P, as an inheritance 
program where later updates are considered more specific. That is, we might 
view P as an inheritance program P, < Py, <... < P,. It appears that the 
latter is in fact equivalent to the update program P; <...< Py. 

For a sequence of GLPs P = P,,...,P, over A, define the inheritance pro- 
gram O = Qn < Qn-1 < ++: < Q1 as follows. Let P, be the program resulting 
from P; by replacing in rule heads the default negation not through 7. Define 
Qi = Pr U{7-A <— not A | A € A} and Q; = P;, for j = 2,...,n. Then we 
have the following. 


Theorem 6.2. Let P= P,,..., Py be a sequence of GLPs over atoms A. Then, 
SEU(P) iff SU{AA| AE A\ S} ts a DLP<-answer set of O(Pi,..., Pr). 


Conversely, linear inheritance programs yield the same result as update pro- 
grams in the extension with classical negation. 


Theorem 6.3. Let P= Py <--: < P, be an inheritance program over atoms 
A. Then, S is a DLP<-answer set of P iff S is an answer set of the sequence of 
GELPs Py, Pa—1,..., Pi. 


Thus, dynamic logic programs and inheritance programs are equivalent. 


Program Updates through Abduction On the basis of their notion of ez- 
tended abduction, Inoue and Sakama [17] define a framework for various update 
problems. The most general is theory update, which is update of an extended logic 
program (ELP) P, by another such program P». Informally, an abductive update 
of P, by Py» is a largest consistent program P’ such that P, C P’ C P,UP» holds. 
This is formally captured in [17] by reducing the update problem to computing 
a minimal set of abducible rules Q C P; \ P2 such that (P, U P2)\Q is consistent. 
In terms of [16], P, UP is considered for abduction where the rules in P; \ P are 
abducible, and the intended update is realized via a minimal anti-explanation 
for falsity, which removes abducible rules to restore consistency. 

While this looks similar to our minimal updates, there is a salient difference: 
abductive update does not respect causal rejection. A rule r from P,; \ Py may 
be rejected even if no rule r’ P, fires whose head contradicts applying r. For 
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example, consider P; = {q — , 7q — a} and Py = {a — }. Both P, and 
P, have consistent answer sets, while (P,,P:) has no stable model. In Inoue 
and Sakama’s approach, one of the two rules in P, will be removed. Note that 
contradiction removal in a program P occurs as a special case (P,; = P, P2 = 9). 
Abductive updates are, due to inherent minimality of change, harder than 
update programs; some abductive reasoning problems are ©-complete [17]. 


Updates through Priorities Zhang and Foo [13] define update of an ELP P; 
by an ELP Py, based on their work on preferences [12] as a two-step approach: In 
Step 1, each answer set S' of P; is updated to a closest answer set S’ of Pj, where 
distance is in terms of the set of atoms on which S,S’ disagree and closeness is 
set inclusion. Then, a maximal set Q C P, is chosen such that P3 = Pj UQ has 
an answer set containing 5’. In Step 2, the answer sets of P3 are computed using 
priorities, where rules of P2 have higher priority than rules of Q. 

This approach is different from ours. It is in the spirit of the possible models 
approach [24], which updates models of a propositional theory separately, thus 
satisfying the update postulate U8. However, like in Inoue and Sakama’s ap- 
proach, rules are not removed on the basis of causal rejection. In particular, the 
same result is obtained on the example there. Step 2 indicates a strong update 
flavor of the approach, since rules are unnecessarily abandoned. For example, 
update of P; = {p — not q} with Pp = {q — not p} results in Po, even though 
P, U Pp» is consistent. Since the result of an update leads to a set of programs, 
in general, naive handling of updates requires exponential space. 


7 Conclusion 


We have considered the approach to updating logic programs based on dynamic 
logic programs [2,3] and investigated various properties of this approach. Com- 
paring it to other approaches and related work, we found that it is equivalent to 
a fragment of inheritance programs in [9]. 

Several issues remain for further work. A natural issue is the inverse of addi- 
tion, i.e. retraction of rules from a logic program. Dynamic logic programming 
evolved into LUPS [3], which is a language for specifying update behavior in 
terms of addition and retraction of sets of rules to a logic program. LUPS is 
generic, however, as in principle, different approaches to updating logic programs 
could provide the semantical basis for an update step. Exploring properties of the 
general framework, as well as of particular such instantiations, would be worth- 
while. Furthermore, reasoning about update programs describing the behavior 
of agents programmed in LUPS is an interesting issue. 

Another issue are postulates for update operators on logic programs and, 
more generally, on nonmonotonic theories. As we have seen, several postulates 
from the area of logical theory change fail for dynamic logic programs (see [8] 
for related observations). This may partly be explained by nonmonotonicity of 
stable semantics and the dominant role of syntax for update embodied by causal 
rejection. However, similar features are not exceptional in the context of logic 
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programming. It would be interesting to know further postulates and desiderata 
for update of logic programs besides the ones considered here, and an AGM style 
characterization of update operators compliant with them. 
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Abstract This paper reports on the ongoing KeY project aimed at 
bridging the gap between (a) object-oriented software engineering meth- 
ods and tools and (b) deductive verification. A distinctive feature of our 
approach is the use of a commercial CASE tool enhanced with function- 
ality for formal specification and deductive verification. 


1 Introduction 


1.1 Analysis of the Current Situation 


While formal methods are by now well established in hardware and system design 
(the majority of producers of integrated circuits are routinely using BDD-based 
model checking packages for design and validation), usage of formal methods 
in software development is currently confined essentially to academic research 
projects. There are industrial applications of formal software development [8], 
but they are still exceptional [9]. 

The limits of applicability of formal methods in software design are not de- 
fined by the potential range and power of existing approaches. Several case stud- 
ies clearly demonstrate that computer-aided specification and verification of re- 
alistic software is feasible [18]. The real problem lies in the excessive demand 
imposed by current tools on the skills of prospective users: 


1. Tools for formal software specification and verification are not integrated 
into industrial software engineering processes. 

2. User interfaces of verification tools are not ergonomic: they are complex, 
idiosyncratic, and are often without graphical support. 

3. Users of verification tools are expected to know syntax and semantics of one 
or more complex formal languages. Typically, at least a tactical program- 
ming language and a logical language are involved. And even worse, to make 
serious use of many tools, intimate knowledge of employed logic calculi and 
proof search strategies is necessary. 
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Successful specification and verification of larger projects, therefore, is done sep- 
arately from software development by academic specialists with several years of 
training in formal methods, in many cases by the tool developers themselves. 

While this is viable for projects with high safety and low secrecy demands, 
it is unlikely that formal software specification and verification will become a 
routine task in industry under these circumstances. 

The future challenge for formal software specification and verification is to 
make the considerable potential of existing methods and tools feasible to use in 
an industrial environment. This leads to the requirements: 


1. Tools for formal software specification and verification must be integrated 
into industrial software engineering procedures. 

2. User interfaces of these tools must comply with state-of-the-art software 
engineering tools. 

3. The necessary amount of training in formal methods must be minimized. 
Moreover, techniques involving formal software specification and verification 
must be teachable in a structured manner. They should be integrated in 
courses on software engineering topics. 


To be sure, the thought that full formal software verification might be possible 
without any background in formal methods is utopian. An industrial verification 
tool should, however, allow for gradual verification so that software engineers 
at any (including low) experience level with formal methods may benefit. In 
addition, an integrated tool with well-defined interfaces facilitates “outsourcing” 
those parts of the modeling process that require special skills. 

Another important motivation to integrate design, development, and verifi- 
cation of software is provided by modern software development methodologies 
which are iterative and incremental. Post mortem verification would enforce the 
antiquated waterfall model. Even worse, in a linear model the extra effort needed 
for verification cannot be parallelized and thus compensated by greater work 
force. Therefore, delivery time increases considerably and would make formally 
verified software decisively less competitive. 

But not only must the extra time for formal software development be within 
reasonable bounds, the cost of formal specification and verification in an indus- 
trial context requires accountability: 


4. It must be possible to give realistic estimations of the cost of each step 
in formal software specification and verification depending on the type of 
software and the degree of formalization. 


This implies immediately that the mere existence of tools for formal software 
specification and verification is not sufficient, rather, formal specification and 
verification have to be fully integrated into the software development process. 


1.2 The KRY Project 


Since November 1998 the authors work on a project addressing the goals outlined 
in the previous section; we call it the KRY project (read “key” ). 
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In the principal use case of the KeY system there are actors who want to 
implement a software system that complies with given requirements and formally 
verify its correctness. The system is responsible for adding formal details to the 
analysis model, for creating conditions that ensure the correctness of refinement 
steps (called proof obligations), for finding proofs showing that these conditions 
are satisfied by the model, and for generating counter examples if they are not. 
Special features of KeY are: 


— We concentrate on object-oriented analysis and design methods (OOAD)— 
because of their key role in today’s software development practice—, and 
on JAVA as the target language. In particular, we use the Unified Modeling 
Language (UML) [24] for visual modeling of designs and specifications and 
the Object Constraint Language (OCL) for adding further restrictions. This 
choice is supported by the fact, that the UML (which contains OCL since 
version 1.3) is not only an OMG standard, but has been adopted by all major 
OOAD software vendors and is featured in recent OOAD textbooks [22]. 

— We use a commercial CASE tool as starting point and enhance it by ad- 
ditional functionality for formal specification and verification. The current 
tool of our choice is TogetherSoft’s TOGETHER 4.0. 

— Formal verification is based on an axiomatic semantics of the real program- 
ming language JAVA CARD [29] (soon to be replaced by Java 2 Micro Edition, 
J2ME). 

— As acase study to evaluate the usability of our approach we develop a sce- 
nario using smart cards with JAVA CARD as programming language [15,17]. 
JAVA smart cards make an extremely suitable target for a case study: 

e As an object-oriented language, JAVA CARD is well suited for OOAD; 

e JAVA CARD lacks some crucial complications of the full JAVA language 
(no threads, fewer data types, no graphical user interfaces); 

e JAVA CARD applications are small (JAVA smart cards currently offer 16K 
memory for code); 

e at the same time, JAVA CARD applications are embedded into larger 
program systems or business processes which should be modeled (though 
not necessarily formally verified) as well; 

e JAVA CARD applications are often security-critical, thus giving incentive 
to apply formal methods; 

e the high number (usually millions) of deployed smart cards constitutes a 
new motivation for formal verification, because, in contrast to software 
run on standard computers, arbitrary updates are not feasible;! 

— Through direct contacts with software companies we check the soundness of 
our approach for real world applications (some of the experiences from these 
contacts are reported in [3]). 


The KeY system consists of three main components (see the Figure below on 
the right): 


' While JAVA CARD applets on smart cards can be updated in principle, for security 
reasons this does not extend to those applets that verify and load updates. 
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— The modeling component: this 
component is based on the CASE «gy system 
tool and is responsible for all user 
interactions (except interactive de- 
duction). It is used to generate and | CASE Tool 
refine models, and to store and 
process them. The extensions for Verification Manager 
precise modeling contains, e.g., ed- 
itor and parser for the OCL. Ad- automated 

ditional functionality for the verifi- SS 

cation process is provided, e.g., for 
writing proof obligations. 


Modeling Component 


Extension 
for 
Precise 
Modeling 


Deduction Component 


interactive 


— The verification manager: the link between the modeling component and the 
deduction component. It generates proof obligations expressed in formal logic 
from the refinement relations in the model. It stores and processes partial 
and completed proofs; and it is responsible for correctness management (to 
make sure, e.g., that there are no cyclic dependencies in proofs). 

— The deduction component. It is used to actually construct proofs—or counter 
examples—for proof obligations generated by the verification manager. It is 
based on an interactive verification system combined with powerful auto- 
mated deduction techniques that increase the degree of automation; it also 
contains a part for automatically generating counter examples from failed 
proof attempts. The interactive and automated techniques and those for 
finding counter examples are fully integrated and operate on the same data 
structures. 


Although consisting of different components, the KeY system is going to be fully 
integrated with a uniform user interface. 

A first KeY system prototype has been implemented, integrating the CASE 
tool TOGETHER and the system IBIJa [16] as (interactive) deduction component 
(it has limited capabilities and lacks the verification manager). Work on the full 
KeY system is in progress. 


2 Designing a System with KRY 


2.1 The Modeling Process 


Software development is generally divided into four activities: analysis, design, 
implementation, and test. The KeY approach embraces verification as a fifth cat- 
egory. The way in which the development activities are arranged in a sequential 
order over time is called modeling process. It consists of different phases. The 
end of each phase is defined by certain criteria the actual model should meet 
(milestones). 

In some older process models like the waterfall model or Boehm’s spiral model 
no difference is made between the main activities—analysis, design, implemen- 
tation, test—and the process phases. More recent process models distinguish 
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between phases and activities very carefully; for example, the Rational Unified 
Process [19] uses the phases inception, elaboration, construction, and transition 
along with the above activities. 

The KeY system does neither support nor require the usage of a particular 
modeling process. However, it is taken into account that most modern processes 
have two principles in common. They are iterative and incremental. The design 
of an iteration is often regarded as the refinement of the design developed in the 
previous iteration. This has an influence on the way in which the KeY system 
treats UML models and additional verification tasks (see Section 2.3). The veri- 
fication activities are spread across all phases in software development. They are 
often carried out after test activities. 

We do not assume any dependencies be- progress in modeling 
tween the increments in the development pro- See5 (a) 
cess and the verification of proof obligations. : 
On the right, progress in modeling is depicted 
along the horizontal axis and progress in ver- 
ifying proof obligations on the vertical axis. Oy \ 


Buraoid ul ssaiBoud 
! 


The overall goal is to proceed from the up- Ta As 
per left corner (empty model, nothing proven) hye \ 
to the bottom right one (complete model, all _ 
proof obligations verified). There are two ex- ‘y 
treme ways of doing that: v 


— First complete the whole modeling and coding process, only then start to 
verify (line (a)). 
— Start verifying proof obligations as soon as they are generated (line (b)). 


In practice an intermediate approach is chosen (line (c)). How this approach 
does exactly look is an important design decision of the verification process with 
strong impact on the possibilities for reuse and is the topic of future research. 


2.2 Specification with the UML and the OCL 


The diagrams of the Unified Modeling Language provide, in principle, an easy 
and concise way to formulate various aspects of a specification, however, as Steve 
Cook remarked [31, foreword]: “|... ] there are many subtleties and nuances of 
meaning diagrams cannot convey by themselves.” 

This was a main source of motivation for the development of the Object 
Constraint Language (OCL), part of the UML since version 1.3 [24]. Constraints 
written in this language are understood in the context of a UML model, they 
never stand by themselves. The OCL allows to attach preconditions, postcondi- 
tions, invariants, and guards to specific elements of a UML model. 

When designing a system with KeY, one develops a UML model that is en- 
riched by OCL constraints to make it more precise. This is done using the CASE 
tool integrated into the KeY system. To assist the user, the KeY system provides 
menu and dialog driven input possibility. Certain standard tasks, for example, 
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generation of formal specifications of inductive data structures (including the 
common ones such as lists, stacks, trees) in the UML and the OCL can be done 
in a fully automated way, while the user simply supplies names of constructors 
and selectors. Even if formal specifications cannot fully be composed in such a 
schematic way, considerable parts usually can. 

In addition, we have developed a method supporting the extension of a UML 
model by OCL constraints that is based on enriched design patterns. In the 
KeY system we provide common patterns that come complete with predefined 
OCL constraint schemata. They are flexible and allow the user to generate well- 
adapted constraints for the different instances of a pattern as easily as one uses 
patterns alone. The user needs not write formal specifications from scratch, but 
only to adapt and complete them. A detailed description of this technique and 
of experiences with its application in practice is given in [4]. 

As an example, consider the 

, : 
composite pattern, depicted on operation 
the right [11, p. 163ff]. This is a tectenilaiicine) 
ubiquitous pattern in many con- 
texts such as user interfaces, re- 
cursive data structures, and, in 
particular, in the model for the 
address book of an email client 
that is part of one of our case 
studies. 

The concrete Add and Remove operations in Composite are intuitively clear 
but leave some questions unanswered. Can we add the same element twice? Some 
implementations of the composite pattern allow this [14]. If it is not intended, 
then one has to impose a constraint, such as: 


children 
Cae 


Leaf 


+Operation () 
+Add(c:Component) 

+Remove (c: Component ) 
+GetChild(i:int) 


context Composite: :Add(c:Component) 
post: self.children—select(p|p = c)—-size = 1 


This is a postcondition on the call of the operation Add in OCL syntax. After 
completion of the operation call, the stated postcondition is guaranteed to be 
true. Without going into details of the OCL, we give some hints on how to read 
this expression. The arrow “—” indicates that the expression to its left represents 
a collection of objects (a set, a bag, or a sequence), and the operation to its right 
is to be applied to this collection. The dot “.” is used to navigate within diagrams 
and (here) yields those objects associated to the item on its left via the role name 
on its right. If Cis the multiset of all children of the object self to which Add 
is applied, then the select operator yields the set A = {p € C | p= c} and the 
subsequent integer-valued operation size gives the number of elements in A. 
Thus, the postcondition expresses that after adding c as a child to self, the 
object c occurs exactly once among the children of self. 

There are a lot of other useful (and more complex) constraints, e.g., the 
constraint that the child relationship between objects of class Component is 
acyclic. 
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2.3. The KRY Module Concept 


The KeY system supports modularization of the model in a particular way. 
Those parts of a model that correspond to a certain component of the modeled 
system are grouped together and form a module. Modules are a different struc- 
turing concept than iterations and serve a different purpose. A module contains 
all the model components (diagrams, code etc.) that refer to a certain system 
component. A module is not restricted to a single level of refinement. 

There are three main reasons behind the module concept of the KeY system: 


Structuring: Models of large systems can be structured, which makes them 
easier to handle. 

Information hiding: Parts of a module that are not relevant for other modules 
are hidden. This makes it easier to change modules and correct them when 
errors are found, and to re-use them for different purposes. 

Verification of single modules: Different modules can be verified separately, 
which allows to structure large verification problems. If the size of modules 
is limited, the complexity of verifying a system grows linearly in the number 
of its modules and thus in the size of the system. This is indispensable for 
the scalability of the KeY approach. 


In the KeY approach, a hierarchical module concept with sub-modules sup- 
ports the structuring of large models. The modules in a system model form a 
tree with respect to the sub-module relation. 

Besides sub-modules and model components, a module contains the refine- 
ment relations between components that describe the same part of the modeled 
system in two consecutive levels of refinement. The verification problem associ- 
ated with a module is to show that these refinements are correct (see Section 3.1). 
The refinement relations must be provided by the user; typically, they include a 
signature mapping. 

To facilitate information hiding, a module is divided into a public part, its 
contract, and a private (hidden) part; the user can declare parts of each re- 
finement level as public or private. Only the public information of a module A 
is visible in another module B provided that module B implicitly or explicitly 
imports module A. Moreover, a component of module B belonging to some re- 
finement level can only see the visible information from module A that belongs 
to the same level. Thus, the private part of a module can be changed as long 
as its contract is not affected. For the description of a refinement relation (like 
a signature mapping) all elements of a module belonging to the initial model or 
the refined model are visible, whether declared public or not. 

As the modeling process proceeds through iterations, the system model be- 
comes ever more precise. The final step is a special case, though: the involved 
models—the implementation model and its realization in JAvA—do not neces- 
sarily differ in precision, but use different paradigms (specification vs. implemen- 
tation) and different languages (UML with OCL vs. JAvA).? 


? In conventional verification systems that do not use an iterative modeling process 
[25,27], only these final two models exist (see also the following subsection). In such 


28 Wolfgang Ahrendt et al. 


Below is a schematic example for the levels of refinement and the modules 
of a system model (the visibility aspect of modules is not represented here). 
Stronger refinement may require additional structure via (sub-)modules, hence 
the number of modules may increase with the degree of refinement. 


imprecise 
model 


precise 
model 


s|eAe7 JUBWeUEY 


Part of module within one refinement 


Refinement relation 


Module ---= Import relation 


Although the import and refinement relations are similar in some respects, 
there is a fundamental difference: by way of example, consider a system compo- 
nent being (imprecisely) modeled as a class DataStorage in an early iteration. It 
may later be refined to a class DataSet, which replaces DataStorage. On the other 
hand, the module containing DataSet could import a module DataList and use 
lists to implement sets, in which case lists are not a refinement of sets and do 
not replace them. 


Relation of KRY Modules to other Approaches The ideas of refinement and mod- 
ularization in the KeY module concept can be compared with (and are partly 
influenced by) the KIV approach [27] and the B Method [1]. 

In KIV, each module (in the above sense) corresponds to exactly two refine- 
ment levels, that is to say, a single refinement step. The first level is an algebraic 
data type, the second an imperative program, whose procedures intentionally im- 
plement the operations of the data type. The import relation allows the algebraic 
data type operations (not the program procedures!) of the imported module to 
appear textually in the program of the importing module. In contrast to this, 
the JAVA code of a KeY module directly calls methods of the imported module’s 
JAVA code. Thus, the object programs of our method are pure JAVA programs. 
Moreover, KeY modules in general have more than two refinement levels. 

The B Method offers (among other things) multi-level refinement of abstract 
machines. There is an elaborate theory behind the precise semantics of a re- 
finement and the resulting proof obligations. This is possible, because both, a 
machine and its refinement, are completely formal, even if the refinement hap- 
pens to be less abstract. That differs from the situation in KeY, where all but the 
last refinement levels are UML-based, and a refined part is typically more formal 
than its origin. KeY advocates the integrated usage of notational paradigms as 
opposed to, for example, prepending OOM to abstract machine specification in 
the B Method [21]. 


systems, modules consist of a specification and an implementation that is a refine- 
ment of the specification. 
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2.4 The Internal State of Objects 


The formal specification of objects and their behavior requires special techniques. 
One important aspect is that the behavior of objects depends on their state that 
is stored in their attributes, however, the methods of a JAVA class can in general 
not be described as functions on their input as they may have side effects and 
change the state. To fully specify the behavior of an object or class, it must be 
possible to refer to its state (including its initial state). Difficulties may arise 
if methods for observing the state are not defined or are declared private and, 
therefore, cannot be used in the public contract of a class. To model such classes, 
observer methods have to be added. These allow to observe the state of a class 
without changing it. 


Example 1. Let class Registry contain a method seen (o:Object) :Boolean 
that maintains a list of all the objects it has “seen”. It returns false, if it 
“sees” an object for the first time, and true, otherwise. In this example, we 
add the function state() :Set (Object) allowing to observe the state of an 
object of class Registry by returning the set of all seen objects. The behavior of 
seen can now be specified in the OCL as follows: 


context Registry: :seen(o:Object) 
post: result = state@pre()—includes(o) and 
state() = state@pre()—including(o) 


The OCL key word result refers to the return value of seen, while @pre 
gives the result of state() before invocation of seen, which we denote by 
oldstate. The OCL expression state@pre () includes (o) then stands for 
o € oldstate and state@pre () including (o) stands for oldstate U {o}. 


3 Formal Verification with KRY 


Once a program is formally specified to a sufficient degree one can start to for- 
mally verify it. Neither a program nor its specification need to be complete in 
order to start verifying it. In this case one suitably weakens the postconditions 
(leaving out properties of unimplemented or unspecified parts) or strengthens 
preconditions (adding assumptions about unimplemented parts). Data encapsu- 
lation and structuredness of OO designs are going to be of great help here. 


3.1 Proof Obligations 


We use constraints in two different ways: first, they can be part of a model (the 
default); these constraints do not generate proof obligations by themselves. Sec- 
ond, constraints can be given the status of a proof obligation; these are not part 
of the model, but must be shown to hold in it. Proof obligations may arise in- 
directly from constraints of the first kind: by checking consistency of invariants, 
pre- and postconditions of a superclass and its subclasses, by checking consis- 
tency of the postcondition of an operation and the invariant of its result type, 
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etc. Even more important are proof obligations arising from iterative refinement 
steps. To prove that a diagram D’ is a sound refinement of a diagram D requires 
to check that the assertions stated in D’ entail the assertions in D. A particular 
refinement step is the passage from a fully refined specification to its realization 
in concrete code. 


3.2. Dynamic Logic 


We use Dynamic Logic (DL) [20]—an extension of Hoare logic [2]—as the logical 
basis of the KeY system’s software verification component. We believe that this 
is a good choice, as deduction in DL is based on symbolic program execution and 
simple program transformations, being close to a programmer’s understanding 
of JAVA CARD. For a more detailed description of our JAVA CARD DL than given 
here, see [5]. 

DL is successfully used in the KIV software verification system [27] for an 
imperative programming language; and Poetzsch-Heffter and Miiller’s definition 
of a Hoare logic for a JAVA subset [26] shows that there are no principal obstacles 
to adapting the DL/Hoare approach to OO languages. 

DL can be seen as a modal predicate logic with a modality (p) for every 
program p (p can be any legal JAVA CARD program); (p) refers to the successor 
worlds (called states in the DL framework) reachable by running the program p. 
In classical DL there can be several such states (worlds) because the programs 
can be non-deterministic; here, since JAVA CARD programs are deterministic, 
there is exactly one such world (if p terminates) or there is none (if p does not 
terminate). The formula (p)¢ expresses that the program p terminates in a state 
in which ¢ holds. A formula ¢ — (p)w is valid, if for every state s satisfying 
precondition ¢@ a run of the program p starting in s terminates, and in the 
terminating state the postcondition w holds. 

The formula ¢ — (p)w is similar to the Hoare triple {¢}p{}. In contrast to 
Hoare logic, the set of formulas of DL is closed under the usual logical operators: 
In Hoare logic, the formulas ¢ and w are pure first-order formulas, whereas in 
DL they can contain programs. DL allows programs to occur in the descriptions 
@ resp. w of states. With is feature it is easy, for example, to specify that a 
data structure is not cyclic (it is impossible in first-order logic). Also, all JAVA 
constructs (e.g., instanceof) are available in DL for the description of states. So 
it is not necessary to define an abstract data type state and to represent states 
as terms of that type (like in [26]); instead, DL formulas can be used to give a 
(partial) description of states, which is a more flexible technique and allows to 
concentrate on the relevant properties of a state. 

In comparison to classical DL (that uses a toy programming language), a DL 
for a “real” OO programming language like JAVA CARD has to cope with some 
complications: (1) A program state does not only depend on the value of (local) 
program variables but also on the values of the attributes of all existing objects. 
(2) Evaluation of a JAVA expression may have side effects, so there is a difference 
between expressions and logical terms. (3) Such language features as built-in data 
types, exception handling, and object initialisation must be handled. 


The Kg@Y Approach 31 


3.3 Syntax and Semantics of Java Card DL 


We do not allow class definitions in the programs that are part of DL formulas, 
but define syntax and semantics of DL formulas wrt a given JAVA CARD program 
(the context), i.e., a sequence of class definitions. The programs in DL formu- 
las are executable code and comprise all legal JAVA CARD statements, includ- 
ing: (a) expression statements (assignments, method calls, new-statements, etc.); 
(b) blocks and compound statements built with if-else, switch, for, while, 
and do-while; (c) statements with exception handling using try-catch-finally; 
(d) statements that redirect the control flow (continue, return, break, throw). 

We allow programs in DL formulas (not in the context) to contain logical 
terms. Wherever a JAVA CARD expression can be used, a term of the same type 
as the expression can be used as well. Accordingly, expressions can contain terms 
(but not vice versa). Formulas are built as usual from the (logical) terms, the 
predicate symbols (including the equality predicate =), the logical connectives 
a, A, V, >, the quantifiers V and J (that can be applied to logical variables but 
not to program variables), and the modal operator (p), ie., if p is a program 
and ¢ is a formula, then (p)¢ is a formula as well. 

The models of DL consist of program states. These states share the same 
universe containing a sufficient number of elements of each type. In each state a 
(possibly different) value (an element of the universe) of the appropriate type is 
assigned to: (a) the program variables, (b) the attributes (fields) of all objects, 
(c) the class attributes (static fields) of all classes in the context, and (d) the 
special object variable this. Variables and attributes of object types can be 
assigned the special value null. States do not contain any information on control 
flow such as a program counter or the fact that an exception has been thrown. 

The semantics of a program p is a state transition, i.e., it assigns to each 
state s the set of all states that can be reached by running p starting in s. 
Since JAVA CARD is deterministic, that set either contains exactly one state or 
is empty. The set of states of a model must be closed under the reachability 
relation for all programs 7, i.e., all states that are reachable must exist in a 
model (other models are not considered). 

We consider programs that terminate abnormally to be non-terminating: 
nothing can be said about their final state. Examples are a program that throws 
an uncaught exception and a return statement outside of a method invocation. 
Thus, for example, (throw x;)¢ is unsatisfiable for all ¢.° 


3.4 A Sequent Calculus for Java Card DL 


We outline the ideas behind our sequent calculus for JAVA CARD DL and give 
some of its basic rules (actually, simplified versions of the rules, e.g., initialisation 
of objects and classes is not considered). The DL rules of our calculus operate on 


3 It is still possible to express and (if true) prove the fact that a program p ter- 
minates abnormally. For example, (try{p}catch{Exception e})(4e = null) ex- 
presses that » throws an exception. 
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I’ + end = true I+ (m prg while (cnd) prg w)d (1) 
I’ + (m while (cnd) prg w)¢ 


I’ + end = false T+ (rw)d 
I’ - (@ while (end) prg w)¢ 


I’ + instanceof (exc, T) I+ (a tryfe=exc; gq}finally{r} w)¢ 


I+ (@ tryf{throw exc; p}catch(T e){q}finally{r} w)d (3) 

I’ + nx7instanceof (exc, T) I+ (aw r; throw exc; w)d 4 

I’ (@ try{throw ezc; p}catch(T e){q}finally{r} w)d (4) 
Ct (rw) 


I+ (@ try{}catch(T e){q}finally{r} w)d 


Table 1. Some of the rules of our calculus for Java Card DL. 


the first active command p of a program tpw. The non-active prefix 7 consists 
of an arbitrary sequence of opening braces “{”, labels, beginnings “try{” of 
try-catch blocks, etc. The prefix is needed to keep track of the blocks that the 
(first) active command is part of, such that the commands throw, return, break, 
and continue that abruptly change the control flow are handled correctly. (In 
classical DL, where no prefixes are needed, any formula of the form (p q)¢ can 
be replaced by (p)(q)¢. In our calculus, splitting of (w7pqw)¢ into (7p)(qu)¢ is 
not possible (unless the prefix 7 is empty) because 7p is not a valid program; 
and the formula (7pw)(mqw)¢ cannot be used either because its semantics is in 
general different from that of (tpqw)¢.) 

As examples, we present the rules for while loops and for exception handling. 
The rules operate on sequents [1 + @. The semantics of a sequent is that the 
conjunction of the DL formulas in I’ implies the DL formula ¢. Sequents are 
used to represent proof obligations, proof (sub-)goals, and lemmata. 

Rules (1) and (2) in Table 1 allow to “unwind” while loops. They are sim- 
plified versions that only work if (a) the condition cnd is a logical term (ie., 
has side effects), and (b) the program prg does not contain a continue state- 
ment. These rules allow to handle loops if used in combination with induction 
schemata. Similar rules are defined for do-while and for loops. 

Rules (3)—(5) handle try-catch-finally blocks and the throw statement. 
Again, these are simplified versions of the actual rules; they are only applicable 
if (a) exc is a logical term (e.g., a program variable), and (b) the statements 
break, continue, return do not occur. Rule (3) applies, if an exception ezc 
is thrown that is an instance of exception class T, i.e., the exception is caught; 
otherwise, if the exception is not caught, rule (4) applies. Rule (5) applies if the 
try block is empty and terminates normally. 


3.5 The KRY Deduction Component 


The KeY system comprises a deductive component, that can handle KeY-DL. 
This KeY prover combines interactive and automated theorem proving tech- 
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niques. Experience with the KIV system [27] has shown how to cope with DL 
proof obligations. The original goal is reduced to first-order predicate logic using 
such DL rules as shown in the previous subsections. First-order goals can be 
proven using theory specific knowledge about the used data types. 

We developed a language for expressing knowledge of specific theories—we 
are thinking here mainly of theories of abstract data types—in the form of proof 
rules. We believe that this format, stressing the operational aspect, is easier 
to understand and simpler to use than alternative approaches coding the same 
knowledge in declarative axioms, higher-order logic, or fixed sets of special proof 
rules. This format, called schematic theory specific rules, is explained in de- 
tail in [16] and has been implemented in the interactive proof system IBIJa 
(iliwww.ira.uka.de/~ibija). In particular, a schematic theory specific rule 
contains: (a) Pure logical knowledge, (b) information on how this knowledge is 
to be used, and (c) information on when and where this knowledge should be 
presented for interactive use. 

Nearly all potential rule applications are triggered by the occurrence of cer- 
tain terms or formulas in the proof context. The easy-to-use graphical user in- 
terface of IBIJa supports invocation of rule applications by mouse clicks on the 
relevant terms and formulas. The rule schema language is expressive enough to 
describe even complex induction rules. The rule schema language is carefully 
designed in such a way that for every new schematic theory specific rule, IBlJa 
automatically generates proof obligations in first-order logic. Once these obli- 
gations are shown to be true the soundness of all applications of this rule is 
guaranteed. Hence, during each state of a proof, soundness-preserving new rules 
can be introduced. 

To be practically useful, interactive proving must be enhanced by automat- 
ing intermediate proof steps as much as possible. Therefore, the KeY prover 
combines [BIJa with automated proof search in the style of analytic tableaux. 
This integration is based on the concepts described in [12,13]. A screen shot of 
a typical situation as it may arise during proof construction with our prototype 
is shown below. The user may either interactively apply a rule (button “Apply 
Selected Rule”) or invoke the automated deduction component (button “Start 
PRINS”). 


actese Saguent 
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In areal development process, resulting programs often are bug-ridden, there- 
fore, the ability of disproving correctness is as important as the ability of proving 
it. The interesting and common case is that neither correctness nor its negation 
are deducible from given assumptions. A typical reason is that data structures 
are underspecified. We may, for example, not have any knowledge about the be- 
havior of, say, pop(s:Stack) :Stack if s is empty. To recognize such situations, 
which often lead to bugs in the implementation, we develop special deductive 
techniques. They are based on automatically constructing interpretations (of 
data type operations) that fulfill all assumptions but falsify the hypothesis. 


4 Related Work 


There are many projects dealing with formal methods in software engineering 
including several ones aimed at JAVA as a target language. There is also work 
on security of JAVA CARD and ACTIVEX applications as well as on secure smart 
card applications in general. We are, however, not aware of any project quite 
like ours. We mention some of the more closely related projects. 

A thorough mathematical analysis of Java using Abstract State Machines 
has been given in [6]. Following another approach, a precise semantics of a Java 
sublanguage was obtained by embedding it into Isabelle/HOL [23]; there, an 
axiomatic semantics is used in a similar spirit as in the present paper. 

The CoGITo project [30] resulted in an integrated formal software develop- 
ment methodology and support system based on extended Z as specification 
language and Ada as target language. It is not integrated into a CASE tool, but 
stand-alone. 

The FUZE project [10] realized CASE tool support for integrating the Fu- 
ston OOAD process with the formal specification language Z. The aim was 
to formalize OOAD methods and notations such as the UML, whereas we are 
interested to derive formal specifications with the help of an OOAD process 
extension. 

The goal of the QUEST project [28] is to enrich the CASE tool AUTOFo- 
cus for description of distributed systems with means for formal specification 
and support by model checking. Applications are embedded systems, description 
formalisms are state charts, activity diagrams, and temporal logic. 

Aim of the SYSLAB project is the development of a scientifically founded ap- 
proach for software and systems development. At the core is a precise and formal 
notion of hierarchical “documents” consisting of informal text, message sequence 
charts, state transition systems, object models, specifications, and programs. All 
documents have a “mathematical system model” that allows to precisely describe 
dependencies or transformations [7]. 

The goal of the PROSPER project was to provide the means to deliver the 
benefits of mechanized formal specification and verification to system designers 
in industry (www.dcs.gla.ac.uk/prosper/index.htm1). The difference to the 
KeY project is that the dominant goal is hardware verification; and the software 
part involves only specification. 
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5 Conclusion and the Future of KRY 


In this paper we described the current state of the KeY project and its ultimate 
goal: To facilitate and promote the use of formal verification in an industrial 
context for real-world applications. It remains to be seen to which degree this 
goal can be achieved. 

Our vision is to make the logical formalisms transparent for the user with re- 
spect to OO modeling. That is, whenever user interaction is required, the current 
state of the verification task is presented in terms of the environment the user 
has created so far and not in terms of the underlying deduction machinery. The 
situation is comparable to a symbolic debugger that lets the user step through 
the source code of a program while it actually executes compiled machine code. 
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Abstract We introduce a family of languages intended for represent- 
ing knowledge and reasoning about metric (and more general distance) 
spaces. While the simplest language can speak only about distances be- 
tween individual objects and Boolean relations between sets, the more 
expressive ones are capable of capturing notions such as ‘somewhere in 
(or somewhere out of) the sphere of a certain radius’, ‘everywhere in 
a certain ring’, etc. The computational complexity of the satisfiability 
problem for formulas in our languages ranges from NP-completeness to 
undecidability and depends on the class of distance spaces in which they 
are interpreted. Besides the class of all metric spaces, we consider, for 
example, the spaces R x R and N x N with their natural metrics. 


1 Introduction 


The concept of ‘distance between objects’ is one of the most fundamental abstrac- 
tions both in science and in everyday life. Imagine for instance (only imagine) 
that you are going to buy a house in London. You then inform your estate agent 
about your intention and provide her with a number of constraints: 


(A) The house should not be too far from your college, say, not more than 
10 miles. 

(B) The house should be close to shops, restaurants, and a movie theatre; 
all this should be reachable, say, within 1 mile. 

(C) There should be a ‘green zone’ around the house, at least within 2 miles 
in each direction. 

(D) Factories and motorways must be far from the house, not closer than 
5 miles. 

(E) There must be a sports center around, and moreover, all sports centers 
of the district should be reachable on foot, i.e., they should be within, 
say, 3 miles. 

(F) And of course there must be a tube station around, not too close, but 
not too far either—somewhere between 0.5 and 1 mile. 
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‘Distances’ can be induced by different measures. We may be interested in the 
physical distance between two cities a and 8, i.e., in the length of the straight 
(or geodesic) line between a and b. More pragmatic would be to bother about 
the length of the railroad connecting a and b, or even better the time it takes to 
go from a to b by train (plane, ship, etc.). But we can also define the distance 
as the number of cities (stations, friends to visit, etc.) on the way from a to 8, 
as the difference in altitude between a and 0, and so forth. 

The standard mathematical models capturing common features of various 
notions of distance are known as metric spaces (see e.g. [4]). We define a metric 
space as a pair D = (W,d), where W is a set (of points) and d a function from 
W x W into R, the metric on W, satisfying the following conditions, for all 
r,y,zE€W: 


d(z,y) =0iffx=y, (1) 
d(x, z) < d(x, y) + d(y, z), (2) 
d(x, y) = d(y, x). (3) 


The value d(x, y) is called the distance from the point x to the point y.! 

It is to be noted, however, that although quite acceptable in many cases, the 
defined concept of metric space is not universally applicable to all interesting 
measures of distances between points, especially those used in everyday life. 
Here are some examples: 

(i) Suppose that W consists of the villages in a certain district and d(z, y) 
denotes the time it takes to go from x to y by train. Then the function d is not 
necessarily total, since there may be villages without stations. 

(ii) If d(x, y) is the flight-time from x to y then, as we know it too well, d is 
not necessarily symmetric, even approximately (just go from Malaga to Tokyo 
and back). 

(iii) Often we do not measure distances by means of real numbers but rather 
using more fuzzy notions such as ‘short’, ‘medium’, ‘long’. To represent these 
measures we can, of course, take functions d from W x W into the set {1,2,3} C R 
and define short := 1, medium := 2, and long := 3. So we can still regard 
these distances as real numbers. However, for measures of this type the triangle 
inequality (2) does not make sense (short plus short can still be short, but it can 
be also medium or long). 

In this paper we assume first that distance functions are total and satisfy 
(1)-(3), ie., we deal with standard metric spaces. But then, in Section 6, we 
discuss how far our results can be extended if we consider more general distance 
spaces. 

Our main aim in the paper is to 


design formal languages of metric (or more general distance) spaces that 
can be used to represent and reason about (a substantial part of) our 


' Usually axioms (2) and (3) are combined into one axiom d(y, z) < d(x,y) + d(x, z) 
which implies the symmetry property (3); cf. [4]. In our case symmetry does not 
follow from the triangle inequality (2). We will use this fact in Section 6. 
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everyday knowledge of distances, and that are at the same time as com- 
putationally tractable as possible. 


The next step will be to integrate the developed languages with formalisms 
intended for qualitative spatial reasoning (e.g. RCC-8), temporal reasoning, and 
maybe even combined spatio-temporal reasoning (e.g. [19]). 

The requirement of computational effectiveness imposes rather severe limita- 
tions on possible languages of metric spaces. For instance, we can hardly use the 
full power of the common mathematical formalism which allows arithmetic oper- 
ations and quantification over distances as in the usual definition of a continuous 
function f from D to R: 


Va €W Ve >0 56 >0Vy Ee W (d(x, y) < € > |f(x) — fly)| < 4). 


On the other hand, in everyday life a great deal of assertions about distances 
can be (and are) made without such operations and quantification. Although 
we operate quantitative information about distances, as in examples (A)—(F) 
above, the reasoning is quite often rather qualitative, with numerical data being 
involved only in comparisons (‘everywhere within 7 m distance’, ‘in more than 3 
hours’, etc.), which as we observed above can also encode such vague concepts as 
‘short’, ‘medium’, ‘long’. As travelling scientists, we don’t care about the precise 
location of Malaga, being content with the (qualitative) information that it is in 
Spain, Spain is disconnected from Germany and the U.K., and the flight-time 
to any place in Spain from Germany or the U.K. is certainly less than 4 hours. 
That is why we call our formalisms semi-qualitative, following a suggestion of 
A. Cohn. 

In the next section we propose a hierarchy of ‘semi-qualitative’ propositional 
languages intended for reasoning about distances. We illustrate their expressive 
power and formulate the results on the finite model property, decidability, and 
computational complexity we have managed to obtain so far. (The closest ‘rela- 
tives’ of our logics in the literature are the logics of place from [14,18,15,11,12] 
and metric temporal logics from [13]; see also [5].) Sections 3-5 show how some 
of these results can be proved. And in Section 6 we discuss briefly more general 
notions of ‘distance spaces.’ 

The paper is a preliminary report on our ongoing research; that is why it 
contains more questions than answers (some of them will certainly be solved by 
the time of publication). 


2 The Logics of Metric Spaces 


All the logics of metric spaces to be introduced in this section are based on the 
following Boolean logic of space BS. The alphabet of BS contains 


— an infinite list of set (or region) variables X1,X2,...; 
— an infinite list of location variables x1, X2,...; 
— the Boolean operators (A and 7. 
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Boolean combinations of set variables are called set (or region) terms. Atomic 
formulas in BS are of two types: 


— xt, where z is a location variable and ¢ a set term, 
— t; = te, where t, and fz are set terms. 


The intended meaning of these formulas should be clear from their syntax: «Et 
means that x belongs to t, and tj = tg says that t, and tg have the same 
extensions. 

BS-formulas are just arbitrary Boolean combinations of atoms. 

The language BS, as well as all other languages to be introduced below, is 
interpreted in metric spaces D = (W,d) by means of assignments a associating 
with every set variable X a subset a(X) of W and with every location variable 
x an element a(x) of W. The value t* of a set term ¢t in the model Yt = (D, a) 
is defined inductively: 

Xf = a(X;), X; a set variable, 
(t1 A t2)* = tts, 
(at)* = W —¢#*. 


(If the space D is not clear from the context, we write t™ instead of t*.) 
The truth-relation for BS-formulas reflects the intended meaning: 


Meret iff a(x) ets, 
ME t, =to iff tf =48, 


plus the standard clauses for the Booleans. 

We write T instead of =(X A 7X), 0 instead of X A 7X, and t; CE te instead 
of a(t; A atz) = T. It should be clear that IN — t; C te iff tf C #8. 

BS can only talk about relations between sets, about their members, but not 
about distances. For instance, we can construct the following knowledge base in 
BS: 


LeipzigEGermany, MalagaESpain, 


Germany E Europe, Spain LC Europe, 


Spain \ Germany = 0). 


The metric d in © is irrelevant for BS. ‘Real’ metric logics are defined by 
extending BS with a number of set term and formula constructs which involve 
distances. We define five such logics and call them MSo,...,M3Sz4. 


MS,. To begin with, let us introduce constructs which allow us to speak about 
distances between locations. Denote by MSo the language extending BS with 
the possibility of constructing atomic formulas of the form 


= Oty) = a, 
— O(a, y) <a, 
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6(x,y) = 6(x',y’), 
~ 6(x,y) < 6(x',y’), 


where x, y,2’,y’ are location variables and a € R, (i.e., a is a non-negative real 
number). The truth-conditions for such formulas are obvious: 


ME d(z,y) =a iff d(a(x),a(y)) =a, 
ME (x,y) <a iff d(a(x),a(y)) <a, 
MF 6(x,y) = d(x’, y’) iff d(a(x), a(y)) = d(a(z’), a(y’)), 
M - (x,y) < d(a',y’) iff d(a(x),a(y)) < d(a(z’), a(y’)) 


MSpo provides us with some primitive means for basic reasoning about regions 
and distances between locations. For example, constraint (A) from Section 1 can 
be represented as 


(d(house, college) < 10) V (d(house, college) = 10). (4) 


The main reasoning problem we are interested in is satisfiability of finite sets 
of formulas in arbitrary metric spaces or in some special classes of metric spaces, 
say, finite ones, the Euclidean n-dimensional space (R",d,,) with the standard 
metric 


the subspace (N”, di,) of (R”,dn) (with the induced metric), etc. The choice of 
metric spaces depends on applications. For instance, if we deal with time con- 
straints then the intended space can be one-dimensional (R, d1) or its subspaces 
based on Q or N. If we consider a railway system, then the metric space is finite. 

It is to be noted from the very beginning that the language MSo as well as 
other languages MS; are uncountable because all of them contain uncountably 
many formulas of the form 6(2, y) = a, for a € R,. So in general it does not make 
sense to ask whether the satisfiability problem for such languages is decidable. 

To make the satisfiability problem sensible we have to restrict the languages 
MS; to at least recursive (under some coding) subsets of Ry. Natural examples 
of such subsets are the non-negative rational numbers Q, or the natural numbers 
N. 

Given a set S C R;, we denote by MS;[S] the fragment of MS; consisting 
of only those MS;-formulas all real numbers in which belong to S. 

For the logic MSo we have the following: 


Theorem 1. (i) The satisfiability problem for MSo[Q|-formulas in arbitrary 
metric spaces is decidable. 

(ii) Every finite satisfiable set of MSo-formulas is satisfiable in a finite metric 
space, or in other words, MSo has the finite model property. 


This theorem follows immediately from the proof of the finite model property 
of MSz in Section 5. We don’t know whether satisfiability of MMSo/Q-formulas 


42 Holger Sturm et al. 


in R” is decidable. We conjecture that it is and that the complexity of the 
satisfiability problem for both arbitrary metric spaces and R” is in NP. 

In MSo we can talk about distances between points in metric spaces. Now 
we extend the language by providing constructs capable of saying that a point 
is within a certain distance from a set, which is required to represent constraint 
(B) from Section 1. 


MSy,. Denote by MS; the language that is obtained by extending MSp with 
the following set term constructs: 


— if tis a set term anda € R,, then d<gt and V<qgt are set terms as well. 


The semantical meaning of the new set terms is defined by 


Lu 


<at)" ={teW: dye W (d(az,y) <aAyet*)}, 
(V<at)® ={t EW: Vy EW (d(z,y) <a yet*)}. 


Thus «Ed<,t means that ‘somewhere in or on the sphere with center x and 
radius a there is a point from t’} rE V<at says that ‘the whole sphere with 
center x and radius a, including its surface, belongs to t.’ 

Constraints (B)—(D) are now expressible by the formulas: 


houseEd<i shops \ d<irestaurants \ d<\cinemas, (5) 
houseE V<2 green-_zone, (6) 
house E7d<5( factories V motorways). (7) 


Here is what we know about this language: 


Theorem 2. (i) The satisfiability problem for MS,[Q|-formulas in arbitrary 
metric spaces is decidable. 

(ii) MS, has the finite model property. 

(iii) The satisfiability problem for MS,[{1}]-formulas in (N? ,d,) is wndecid- 
able. 


Claims (i) and (ii) follow from the proof of the finite model property in 
Section 5. The proof of (iii) is omitted. It can be conducted similarly to the un- 
decidability proof in Section 3. Note that at the moment we don’t know whether 
the satisfiability in IR? is decidable and what is the complexity of satisfiability 
of MS, |Q|-formulas. 


MSz2. In the same manner we can enrich the language MS, with the constructs 
for expressing ‘somewhere outside the sphere with center x and radius a’ and 
‘everywhere outside the sphere with center x and radius a’. To this end we add 
to MS, two term-formation constructs: 


— if tis a set term and a € R,, then 4,,t and Vyat are set terms. 
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The resulting language is denoted by MS2. The intended semantical meaning 
of the new constructs is as follows: 


(Asat)* ={«@ EW: Aye W (d(z,y) >adyet*)}, 
(Vsat)* ={x@ EW: Vy EW (d(z,y) >a>yeEt*)}. 


Constraint (E) can be represented now as the formula 


house E4<3district_sports_center \ V>37 district_sports_center. (8) 


The language MSz is quite expressive. First, it contains an analogue of the 
difference operator from modal logic (see [6]), because using Vso we can say 
‘everywhere but here’: 


ME cEVsot iff ME yet for ally Az. 


We also have the universal modalities of [9]: the operators V and J can be defined 
by taking 


Vt =tAVsot, ie., Vt is 0 ift A T and T otherwise, 
St = t V Asot, ie., Vt is T if t 4 0 and @ otherwise. 


Second, we can simulate the nominals of [1]. Denote by MS‘ the language that 
results from MSz2 by allowing set terms of the form {x}, for every location 
variable x, with the obvious interpretation: 


~ a({x}) = {a(x)}. 


In MS» we can say, for example, that 


(d<1100{ Leipzig} A d<1100{ Malaga}) EC France, 


i.e., ‘if you are not more than 1100 km away from Leipzig and not more than 
1100 km away from Malaga, then you are in France’. 

As far as the satisfiability problem is concerned, MS% is not more expressive 
than MS. To see this, consider a finite set of MS}-formulas I” and suppose 
that 21,...,2%n are all location variables which occur in I’ as set terms {z;}. 
Take fresh set variables X1,...,X,, and let I” be the result of replacing all {x;} 
in I’ with X;. It is readily checked that I” is satisfiable in a model based on a 
metric space D iff the set of MS 2-formulas 


I” U{(X; A mAs Xi) #021 <n} 


is satisfiable in D. 

It is worth noting that, as will become obvious in the next section, the relation 
between the operators V<q and Vyq corresponds to the relation between modal 
operators O and interpreted in Kripke frames by an accessibility relation R 
and its complement R, respectively; see [8] for a study of modal logics with such 
boxes. 
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Theorem 3. (i) The satisfiability problem for MS2[Q|-formulas in arbitrary 
metric spaces is decidable. 
(ii) MS2 has the finite model property. 


This result will be proved in Section 5. We don’t know, however, what is the 
complexity of the satisfiability problem from (i). 


MS&S3. To be able to express the last constraint (F) from Section 1, we need 
two more constructs: 


— if tis a set term and a < 6, then 42¢t and VZ}t are set terms. 


The extended language will be denoted by MS3. The truth-conditions for these 
operators are as follows: 


(Szpt)* ={t eW:dyew (a <d(x,y) <bAyEt*)}, 
(Vz§t)* ={2 EW : Wye W (a<d(z,y) <b> yet}. 


In other words, 7 £32#t iff ‘somewhere in the ring with center x, the inner radius 
a and the outer radius b, including the outer circle, there is a point from ?’. 
Constraint (F) is represented then by the formula: 


house Ez) tube_station. (9) 


(By the way, the end of the imaginary story about buying a house in London 
was not satisfactory. Having checked her knowledge base, the estate agent said: 
“Unfortunately, your constraints (4)—(9) are not satisfiable in London, where we 
have 


tube_station C 4<3.5(factory V motorway). 


In view of the triangle inequality, this contradicts constraints (7) and (9).”) 
Unfortunately, the language MS3 is too expressive for many important 
classes of metric spaces. 


Theorem 4. Let K be a class of metric spaces containing R?. Then the satisfi- 
ability problem for MS3[{0,...,100}|-formulas in K is undecidable. 


This result will be proved in the next section (even for a small fragment of 


MS3). 


MS. The most expressive language MS, we have in mind is an extension of 
MS3 with the operators deat, Veat, d>at, V>at, sere ae 

Here is what we know about these operators: the satisfiability problem for 
the full language in the class of all metric spaces is of course undecidable—it 
contains MS3. Moreover, the operators vey alone determine an undecidable 
language for the class of arbitrary metric spaces (this can be proved similarly 
to the undecidability proof in Section 3). Also, a similar proof shows that the 
language with the operators V<q only is undecidable both in (R?,d2) and in 
(N?,d},). Still, various questions are open, however: for example, whether the 
language with the operators V<q only is decidable in arbitrary metric spaces or 
whether there are interesting classes of metric spaces in which MS, is decidable. 
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In this section we prove a rather general undecidability result. In particular, 
Theorem 4 is its immediate consequence. 


Theorem 5. Let K be a class of metric spaces containing R?. Then the sat- 
isfiability problem for MS3[{0,9, 10,20, 80}]-formulas (even for those with the 
operators Wee and d<q only) in K is undecidable. 


Proof. To prove this result, we reduce the undecidable N x N-tiling problem (see 
[17,2] and references therein) to the satisfiability problem in K. We remind the 
reader that the tiling problem for Nx N is formulated as follows: given a finite set 
T ={T,...,Ti} of tiles (i.e., squares T; with colors le ft(T;), right(T;), up(Ti), 
and down(T;) on their edges), determine whether tiles in T can cover the grid 
N x N in such a way that the colors of adjacent edges on adjacent tiles match, 
or more precisely, whether there exists a function rt : N x N — 7 such that for 
alln,m EN: 


(a) right(r(n,m)) = left(r(n +1, m)), 
(b) up(t(n,m)) = down(r(n,m + 1)). 


So, suppose a set of tiles T = {T),...,7;} is given. Our aim is to construct a 
finite set of MS3[{0, 9, 10, 20, 80}]-formulas which is satisfiable in K iff T can 
tile N x N. 

Take set variables Zi, seey Zi, Xo, Aer Xa, Yo, oes ,¥4. Let Xij = Veo(Xi AY;), 
for 7,7 < 4, and let I’ be the set of the following formulas, where i,j < 4 and 
k<l: 


MAY; © scans OG) Veco: Dah En GD) FO) (10) 


xig EV Ve0Ze, Zm E7Zn (n £m), (11) 
k<l 
Xig A Ze EC d<20(Kits1j A V Laie) (12) 
right(T;, )=left(Tm) 
xij A Ze GE A<20(xiz+51 A VV Zm); (13) 


up(T;, )=down(Tm) 


where +5 denotes addition modulo 5. 

The first formula in (10) is satisfied in a model IN = (W, d, a) iff a(X; AY;) is 
the union of a set of spheres of radius 9. The second one is satisfied in Mt iff the 
distance between any two distinct centers of spheres, all points in which belong 
to a(X; A Y;), is more than 80. 

We are going to show that the set {tExoo} UT is satisfiable in K iff T can 
tile Nx N. 


Lemma 1. If T can tile N x N, then {xExoo} UT is satisfiable in R?. 
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Proof. Suppose T: N x N= T is a tiling. For r € R’, put 
S(r) = {y © R* : do(r,y) < 9}. 
Define an assignment a into R? by taking, for i,j < 4 and k < 1: 
— a(X;) = U{S(50m + 102, 20n) : m,n € N}, 
— a(¥;) = U{S(20n, 50m + 107) : m,n € N}, 
— a(Z,) = U{S(n, m) : r(n,m) = Th}. 


It is not difficult to see that (IR, a) satisfies {cExoo}UTL. 


Lemma 2. Suppose a model IN = (W,d,a) satisfies {cExoo} UI. Then there 
exists a function f :N x N— W such that, for all i,j < 4 and k1,kg €N, 

— f(5ki + 4, 5k2 + 5) € Xi, 

— A(f(kr, ka), f(r + 1, ka)) < 20, 

— d(f(ki, ko), f(Ki, ke + 1)) < 20. 
The map tT: NxN-T defined by taking t(n,m) = T;, iff f(n,m) € Zp, for all 
k<l and alln,m€N, is a tiling. 


Proof. We define f inductively. Put f(0,0) = a(a). By (12), we find a sequence 
Wn € W,n€N, such that 

— Wo = f(0, 0), 

— W5rti © X%, for alli <4 and k EN, 

= d(Wn, Wn+1) < 20. 


We put f(n,0) = wp for all n € N. Similarly, by (13) we find a sequence wp, 
n EN, such that 

— vo = f(0,0), 

— Usk+j © XG; for all j <4 and k EN, 

— d(Un,Un41) < 20. 
Put f(0,m) = vm for all m € N. Suppose now that f satisfies the conditions 
listed in the formulation of the lemma (on its defined domain), that it has been 
defined for all (m’,n’) with m’+n’ < m+n, but not for (m,n). Without loss of 
generality we can assume that n = 5k, m = 5k2 +1, for some k,, kg € N. Then 
f(n,m—1) € x§o, and so f(n,m— 1) € (d<20x01)*. So we can find a w’ © W 
with d(f(n,m — 1), w’) < 20 such that w’ € x§,. We then put f(n,m) = w’. It 
remains to prove that f still has the required properties. To this end it suffices 
to show that d(f(n — 1,m),w’) < 20. We have f(n —1,m) € x{4,, and so there 
exists a w” such that w” € x6, and d(f(n —1,m),w”) < 20. So it is enough to 
show that w’ = w’’. Suppose otherwise. Then 
(w”, f(n —1,m)) < 20, 
a d(f(n — 1),m), f(n— 1,m— 1) < 20, 

d(f(n—1,m—1), f(n,m—1)) < 20, 

— d(f(n,m— 1), w’) < 20. 
By the triangle inequality, we then have d(w”’, w’) < 80, contrary to the second 
formula in (10). 

The reader can readily check that 7 is a tiling. 
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4 Relational Semantics 


To prove the finite model property of MS2, we require a relational representation 
of metric space models defined in Section 2. Let MC R,. 
A relational metric M-model is a quadruple of the form 


6= (W, (Ra)aem; (Ra)aem; a) ry 


where W is a non-empty set, (Ra)aem and (Ra)aem are families of binary re- 
lations on W, and a is an assignment in W. The value t© of a set term t in G 
is defined inductively. The basis of induction and the case of Booleans are the 
same as in metric space models. And for set terms of the form V<at and Vsat 
we put 


— (V<at)S ={weW: We W (wRav > ve t®)}, 
— (Vsat)© ={weW:WeW (wRav > ve t®)}. 


The values of 4<at and 4,qt are defined dually. 
Say that the model G is M-standard if the following conditions are satisfied 
for alla,b € M and w,u,v € W: 
(Gi) Ri _URz=WxW, 
(ii) RaNRz =9, 
(iii) if uRav and a < b, then uR,v, 
(iv) if uRzu and a > b, then uRpv, 
(v) uRov iff u =v, 
(vi) if uRav and vR,w, then uRa;pw whenever a+be M, 
(vii) uRav iff vRqu. 
Note that as a consequence of (i), (ii) and (vi) we have: 


(viii) if uRov and uRZzw then vRpw. 


With every metric space model IN = (W,d,a) we can associate the relational 
metric M-model 


G(M) - ws (Ra)aem, (Ra)aem, a) ’ 


in which the relations R, and Rz are defined as follows: 


VYu,v €W (wRav — d(w,v) < a), 
Vu,v € W (wR - d(w,v) > a). 


It is easy to see that G(IN) is M-standard. Note that (v), (vi) and (vii) reflect 
axioms (1)—(3) of metric spaces. 

The model G(9) can be regarded as a relational representation of 2. For 
we clearly have the following: 


Lemma 3. For every metric space model MN and every set term t € MS»2[M], 
the value of t in M coincides with the value of t in G(IM). 
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5 The Finite Model Property of MS2 


In this section we prove that MSz has the finite model property. The idea of 
the proof is as follows. 

Let y be an MSo-formula and let It — y for some metric space model 
mM = (W,d,a). Depending on IM, we transform y into a set &, containing only 


formulas of the form zEt, s = t, s 4 t, and 6(x,y) = a, in such a way that » 
is satisfiable in a finite model whenever @ is finitely satisfiable. Starting from 
@, we compute a finite set M[®] of real numbers containing, in particular, all 
the numbers occurring in ® Then we replace the metric d by a new metric d’ 
with (finite) range M[]. The new model IN, still satisfies &. The next step is to 
filtrate (as in modal logic; see e.g. [3]) the relational metric model G6 = G(Mz,) 
through some suitable set of terms cl(®). To define cl(®), we first transform & 
into a set ® which, roughly speaking, is obtained from @ by replacing every 
formula of the form d(y, z) = a with two formulas zE X* and yEd<,_X*, where 
the X* are fresh set variables. cl(®) will be the closure of the terms in &’ under 
syntactical rules that are similar to the rules of the Fischer—Ladner closure for 
PDL-formulas (cf. [10]). (Note, however, that in contrast to the Fischer-Ladner 
closure the closure considered here results in an exponential blow up.) 

As a result of the filtration we get a finite relational metric model 6S. But 
unlike G, in general GS is not M[@-standard, which means that we cannot 
directly transform it into a finite metric space model. However, Gf still has all 
the properties of M[]-standard models save (ii): there may exist v € WF such 
that wR,v and wRzv, for some w € W!, and a € M[9}. To ‘cure’ these defects, 
we make copies of such ‘bad’ points v and modify the relations R, and Rz in Gf 
obtaining a finite standard relational metric model G*. (The ‘copying-method’ 
was developed by the Bulgarian school of modal logic; see [7,16]. Our technique 
follows [8]). The final step is to transform G* into a metric space model IM*. 


Let us now turn to details. Denote by term(y) the set of all set terms oc- 
curring in y; sub(y) stands for the set of all subformulas of y. Define a set 
f= PD, U Po U Pz by taking: 

@, = {xEt: (Et) € sub(y), ME ceEt}U 
{xE-t : (Et) € sub(y), MNF ret}, 

G2 = {s=t:(s=t) € subly), MEs=t}uU 
{s#t:(s=t) € sub(y), IE s Ft}, 

3 = {5(y, 2) =a: Oy, z) € term(y), a=d(a(y), a(z))}. 


It should be clear from the definition that we have 


o] 


? 


Lemma 4. (1) It @. 
(2) For every metric space model IN’, if IN’ — © then M FE y. 


Next we construct M[®| and @’. Let 


M(@) = {a € R: a occurs in $}. 
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Denote by y the smallest natural number that is greater than all numbers in 
M(@) U {0} and define M[] as 
M{®] = {ay +--+ + an <7: a,...,an € M(®), n<w}U {7} U {O}. 


Let « = min{M(@) — {0}} and let y be the least natural number such that 
x > 7¥/p. An easy (but tedious) computation yields: 


Lemma 5. |M[®| < |M(®)|*, whenever |M(®)| > 2. 


For each location variable x occurring in ®3 we pick a new set variable X* 
and define &5, &’, and t(®) by taking 


®, = {yEd<aX* : d(y,z) =a € O3} VU 
{zEX* : d(y,z) =a € 3} U 
{yEV<p7X* : Oy, z) =a € 3, b< a, bE MGI}, 
' = 9, UD, UGS, 
t(®) ={t:teterm(#)}. 
The closure cl(®) of t(®) is the smallest set of terms T such that t(@) C T and 


. T is closed under subterms; 

. ift ¢ 7, then V<ot € T whenever ¢ is not of the form V<gs; 

. ifV<at € Tanda > aj4+--:+Gn, for a; € M[®|—{0}, then V<a, ...V<a,t € T; 
. if Vsat € T and b € M[G], then -V<py7Vsat € T; 

. ifVsat € T and b >a, for b € M[9], then Vspt € T and ~Vsy,7Vsat € T. 


oR WNH 


By an easy but tedious computation the reader can check that we have: 
Lemma 6. I[f |M(@)| > 4 and x > 3, then 
lel(B)| < S(B) = |e(B)| -ag[a| OTN MOY, 
We are in a position now to prove the following: 


Theorem 6. @ is satisfied in a metric space model IN* = (W*,d*,b*) such that 

|W*| < 2-25) and the range of d* is a subset of M[9}. 

Proof. We first show that @ is satisfied in a metric space model (W,d’,a) with 

the range of d’ being a subset of M = M[9]. Indeed, define d’ by taking 
d'(w,v) = min{y,a€ M : d(w,v) < a}, 


for all w,uv € W, and let 3, = (W,d’,a). Clearly, the range of d’ is a subset of M. 
We check that d’ is a metric. It satisfies (1) because 0 € M. That d’ is symmetric 
follows from the symmetry of d. To show (2), suppose d/(w,v) + d'(v,u) < a, 
for a € M. By the definition of d’, we then have d(w,v) + d(v,u) < a, and so 
d(w,u) < a. Hence d’(w,u) < a. Thus we have shown that 


faeM:d'(w,v) +d (v,u) <a} C {ae M:d'(w,u) < a}, 


from which one easily concludes that d’(w, u) < d'(w,v) + d'(v, u). 
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Lemma 7. The set ® is satisfied in My. 


Proof. Clearly, for each (6(y, z) = a) € 3, d(a(y), a(z)) = d’(a(y), a(z)) =a. So 
mM, EK 3. To show Mt, — &; U @2 it suffices to prove that 


Vw € WVt Ee t(6) (wet owet™), 


This can be done by a straightforward induction on the construction of t. The 
basis of induction and the case of Booleans are trivial. So suppose t is V<as (then 
a € M). Then we have: 


wet™ o, We W (d(w,v) <a> ves”) 
2 Vu € W (d'(w,v) <a> ves) 
23 WE pe, 
The equivalences 1 and 3 are obvious. 2 holds by the induction hypothesis 


and the fact that, for all w,v € W and every a € M, d(a,y) < aiff d'(a,y) <a. 
The case Vs,s is considered in a similar way. 


Before filtrating 9% through O = cl(®), we slightly change its assignment. 
Recall that O contains the new set variables X* which function as nominals and 
which will help to fix the distances between the points occurring in @3. Define 6 
to be the assignment that acts as a on all variables save the X*, where 


— b(X*) = {a(z)}- 


Let Nt. = (W,d’,6). It should be clear from the definition and Lemma 7 that 
we have: 


(a) t™5 = ¢"2, for all set terms t € t(®); 


(b) ty, & iff Mo E w, for all formulas WW € MS2(P); 
(c) My [= ®; 
(d) Mo Ko’. 


Consider the relational counterpart of Itz, i.e., the model 
G(Mz) = (W, (Ra)aem: (Ra)aem; b) 


which, for brevity, will be denoted by G. Define an equivalence relation = on W 
by taking u = v when u € ¢® iff v € ¢© for allt € O. Let [ul = {ue W:uz=vr}. 
Note that if (¢EX*) € ®5 then [6(z)] = {b6(z)}, since X* € O. 

Construct a filtration Gf = (ws, (Ri) sem, (Reem, b!) of G through O 
by taking 


—~ Wh={lu]):ueW}; 

— of (x) = [b(2)); 

— Bf (X) = {[u] 'u € (X)}; 

— [u] RJ [v] iff for all terms V<at € 9, 
e ué (V<at)© implies v € t© and 
e v € (V<at)© implies u € t®; 
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- [uj RE [0] iff for all terms Vsat € O, 
e wu (Vsat)© implies v € t© and 
e uv € (Vsat)© implies u € t®. 


Since @ is finite, WS is finite as well. Note also that b/(X*) = {6/(z)} whenever 
(ZEX*) € BS. 


Lemma 8. (1) For every t € © and every ué W, ue t® iff [uj et. 
(2) For all (6(y,z) =a) € 3,a=minjbe M: bf (y) Ri bf (z)}. 
(3) GF satisfies (i), (iii)-(vii) in Section 4. 


Proof. (1) is proved by an easy induction on the construction of t. To prove (2), 
take (6(y, z) = a) € &3. We must show that b/(y)Rfb/(z) and =f (y) Rio! (z), 
for alla > b € M. Notice first that uRav implies [u|R/[v] and uRzv implies 
[u] RE[o]. Since Mtg E &, we have Mo | d(y,z) = a, and so d’(b(y), b(z)) = 
a. Hence b(y)Rab(z) and bf(y)Rfb/(z). Suppose now that b < a and con- 
sider V<,X*. By definition, b(X*) = {b6(z)}. Hence b(z) ¢ (~X*)©. On the 
other hand, we have b < d'(b(y),6(z)), from which 6(y) € (V<p7X7)S. Since 
(V<p7X*) € O, we then obtain a6/(y)R/6/(z). 

Now let us prove (3). Condition (vii), i.e., [w|R/[u] iff [ul|R£[w], holds by 
definition. 

(i), ie, RE URL = WwW! x WE. If [uj Rf [v] then suR,v, and so uRqv, since 
6 satisfies (i). Thus [u] RZ[v]. 

(iii), ie., if [ulJRf[v] and a < b then [u] RI [ov]. Let [uJRf[v] and a < 8, for 
b € M. Suppose u € (V<yt)©. By the definition of O = cl(®), V<at € O, and so 
u € (V<at)©. Hence v € t. The other direction is considered in the same way. 

(iv), ie., if [uJRL[v] and a > b then [ul RE [v]. Let [u]R£[v] and a > b, and 
suppose that u € (Vspt)©. Then Vat € O, u € (Vsat)®©, and so v € t®©. Again, 
the other direction is treated analogously. 

(v), Le., [ul RZ [v] iff [u] = [v]. The implication (<) is obvious. So suppose 


[u] Ri [v]. Take some t € O with u € t©. Without loss of generality we may 
assume that t is not of the form V<os. Then, by the definition of O, u € (V<ot)© 
and V<ot € O. Hence v € t®©. In precisely the same way one can show that for 
allt € O, v € tS implies u € tS. Therefore, [u] = [v]. 

(vi), ie., if [u]R{[v] and [v] Rf [w), then [uj R!, ,[w], for (a+b) € M. Suppose 
we (V<a+ot)®. Then VeaV<ot € O and u € (V<aVeot)®. Hence w € t©. For 
the other direction, assume w € (eee. Again, we have V<agV<st € O and 
w € (V<aV<pt)©. In view of (vii) we then obtain u € t®. a 

(viii), Le., if [u)R{[v] and [u]RL,[w] then [v]RZ[w], for (a +b) € M. Sup- 
pose v € (Vspt)S. Then -Veg-Vset € O and u € (AVcq7Vsyt)©. Hence 
u € (Vsca+n)t)© and so w € t®©. For the other direction, suppose w € (Vsot)®. 
Then wu € (=Vs(a40)7Vs0t)© and 7Vs (a4) 7Vset € O. Hence u € (V<at)© and 
sovet®. 
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Unfortunately, Gf does not necessarily satisfy (ii) which is required to con- 
struct the model IN* we need: it may happen that for some points [u], [v] in WS 
and a € M, we have both [u]Rf[v] and [u RE Uv). To ‘cure’ these defects, we have 
to perform some surgery. The defects form the set 


D(WS) ={de WS : da € Mar € WS (@Rfd & Rfd)}. 
Let 
W* = {(d,i) :d€ D(WS),i € {0,1}} U {(c,0): ce WI — D(WA)}. 


So for each d € D(W‘) we have now two copies (d,0) and (d,1). Define an 
assignment b* in W* by taking 


— b*(z) = (6/(z),0) and 
— 6*(X) = {(c,i) € W* sc € bf (X)}. 
Finally, we define accessibility relations R% and R= as follows: 


— if a> 0 then (c,i) Re (d, 7) iff either 
e cRid and acREd, or 
e cRidandi=j; 
— if a=0 then (c,i) Re (d, 7) iff (c, 7) = (d, 9); 
— Ris defined as the complement of R%, i.e., (c, i) R& (d, 7) iff 7 (c, i) R* (d, J). 


Lemma 9. G* = (W*, (Re )aem, (RE)aem, 6*) is an M-standard relational met- 
ric model. 


Proof. That G* satisfies (i), (ii), and (v) follows immediately from the definition. 
Let us check the remaining conditions. 

(iii) Suppose (c, 7) R% (d,j) anda <b ¢€ M.Ifi = then clearly (c,i) RF (d,j). 
So assume i # j. Then, by definition, cR/d and acREd. Since GS satisfies (iii) 
and (iv), we obtain cRid and =iRed. Thus (c,i) Rf (d, 7). 

(iv) Suppose that (c,7) RZ (d,j) and a > be M, but (c,7) RF (d, 7). By (i), 
(c, 1) R§ (d,j). And by (iii), (c,7) R& (d,7). Finally, (ii) yields - (c, 7) R% (d, J), 
which is a contradiction. 

(vi) Suppose (c, i) R* (d,j), (d,j) Ri (e,k) and a+b € M. Then cR/d and 
dRfe. As GS satisfies (vii), we have cRI ye. If i = k then clearly (c,) R314 (e, k). 
So assume i #k. If i = 7 #k then ~cRL Je, since cR/d and adRie. The case 
i #4 j =k is considered analogously using the fact that the relations in G/ are 
symmetric. 

(vii) follows from the symmetry of R/ and He 


Lemma 10. For all (d,i) € W* and t € O, we have (d,i) €t© iffde io? 
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Proof. The proof is by induction on t. The basis of induction and the case of 
Booleans are trivial. The cases t = (V<qas) and t = (Vsas) are consequences of 
the following claims: 

Claim 1: if cRfd and i € {0,1}, then there exists 7 such that (c, i) R* (d, 7). 
Indeed, this is clear for 1 = 0. Suppose i = 1. If d was duplicated, then (d,1) is 
as required. If d was not duplicated, then acREd, and so (d,0) is as required. 

Claim 2: if (c, i) R* (d,j) then cRfd. This is obvious. 

Claim 3: if cRLd and i € {0,1} then there exists 7 such that — (c,7) R* (d,j). 
Suppose i = 0. If d was not duplicated, then acR/d. Hence - (c,0) R* (d,0). If d 
was duplicated, then — (c,0) R* (d,1). In the case i = 1 we have — (c, 1) Rx (d, 0). 

Claim 4: if > (c,i) R* (d,j) then cRLd. Indeed, if i = j then acRfd and so 
cRid. And if i 4 j then cREd. 


To complete the proof of Theorem 6, we transform G* into a finite metric 
space model and show that this model satisfies &. Put t* = (W*, d*, 6*), where 
for all w,v € W%*, 


d*(w,v) = min{y,a€ M:wRiv}. 
As M is finite, d* is well-defined. Using (v)—(vii), it is easy to see that d* is a 


metric. So Mt* is a finite metric space model. It remains to show that SM* satisfies 
®. Note first that 


(t) for all w € W* and t € t(®), we have w €t© iffwet™. 


This claim is proved by induction on t. The basis and the Boolean cases are 
clear. So let t = (V<as) for some a € M. Then 


we (V<as)> 1 Vu (wRiv > ve s®) 
9 Vu (wRiv > ve s™) 
3 Wu (d*(w,v) <a>ves™ ) 
S4we (Vener 


Equivalences =, and <4 are obvious; 2 holds by the induction hypothesis; 
<3 is an immediate consequence of the definition of d*, and =3 follows from 
(iii). The case t = (Vsa8) is proved analogously. 

We can now show that I2* = &. Let (tet) € &. Then we have: 


MN - cet o) b*(z) €t™ oo b*(x) ct 33 (bf (z),0) et© oy 


of (x) €t©" 5 [6(x)] € © 6 b(x) € t& G7 b(z) € 2? Sg My E Et. 


Equivalences = and <8 are obvious; <2 follows from (1); 3 and <5 hold 
by definition; <4 follows from Lemma 10, @.5 from Lemma 8, and #7 from 
Lemma 3. 

Since We — &, we have IMN* — H,. That M* - 2 is proved analogously 
using (fT). 
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It remains to show that I0* | 3. Take any d(y, z) = a from 3. We must 
show that d*(b*(y), b*(z)) =a. By Lemma 8 (2), 


a=min{be M: bo! (y) RL of (z)}. 


So a = min{b € M : (6/(y),0) Ry (6/(z),0)}. By the definition of b* we have 
a=min{b € M : b*(y)RF6*(z)}, which means that d*(b*(y), 6*(z)) =a. 
This completes the proof of Theorem 6. 


Thus, by Theorem 6 and Lemma 4 (2), is satisfied in the finite model 2*. 

Yet this is not enough to prove the decidability of MS2[Q;: we still do not 
know an effectively computable upper bound for the size of a finite model sat- 
isfying y. Indeed, the set M(®) depends not only on y, but also on the initial 
model $M satisfying y. Note, however, that by Lemmas 5 and 6 the size of M* 
can be computed from the maximum of M(@), the minimum of M(#) — {0}, 
and y. Hence, to obtain an effective upper bound we need, it suffices to start the 
construction with a model satisfying y for which both the maximum of M(@) 
and the minimum of M(#) — {0} are known. The next lemma shows how to 
obtain such a model. 


Lemma 11. Suppose a formula yp € MS2[Q is satisfied in a metric space model 
(W,d,a). Denote by D the set of all 6(x, y) occurring in y, and let a and b be the 
minimal positive number and the maximal number occurring in yp, respectively 
(if no such number exists, then put a= b=1). Then there is a metric d’ on W 
such that ~ is satisfied in (W,d’,a) and 
min{d' (a(x), a(y)) > 0: 6(z,y) € D} > a/2, 
max{d'(a(x),a(y)) : (x,y) € D} < 2b. 
Proof. Let 


a’ = min{d(a(zx),a(y)) > 0: 6(2, y) € D}, 
b’ = max{d(a(x), a(y)) : d(x, y) € D}. 


We consider here the case when a’ < a/2 and 2b < 0’. The case when this is not 
so is easy; we leave it to the reader. Define d’ by taking 


d(x, y) ifa< d(a,y) < bor d(z,y) = 0, 
d'(x,y) = 4 b+ (b/(0' — b)) - (d(w,y) —b) if d(w,y) > b, 
a+ (a/2(a—a’))-(d(z,y) —a) if 0 < d(z,y) <a. 


One can readily show now that d’ is a metric and (W,d’,a) satisfies y. 


6 Weaker Distance Spaces 


As was mentioned in Section 1, our everyday life experience gives interesting 
measures of distances which lack some of the features characteristic to metric 
spaces. Not trying to cover all possible cases, we list here some possible ways of 
defining such alternative measures by modifying the axioms of standard metric 
spaces: 
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— we can omit either the symmetry axiom or the triangular inequality; 
— we can omit both of them; 
— we can allow d to be a partial function satisfying the following conditions 


for all w,v,u € W, where dom(d) is the domain of d: 
e (w,w) € dom(d) and d(w, w) = 0, 
e if (w,v) € dom(d) and d(w,v) = 0, then w = v, 
e if (w,v) € dom(d) and (v,u) € dom(d), then (w,u) € dom(d) and 
d(w,u) < d(w,v) + d(v, u), 
e if (w,v) € dom(d), then (v,w) € dom(d) and d(w,v) = d(v, w). 


Using almost the same techniques as above one can generalize the obtained 
results on the decidability and finite model property of MSz to these weaker 
metric spaces as well. 
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Abstract. In this paper we show the embedding of Hybrid Probabilis- 
tic Logic Programs into the rather general framework of Residuated 
Logic Programs, where the main results of (definite) logic programming 
are validly extrapolated, namely the extension of the immediate conse- 
quences operator of van Emden and Kowalski. The importance of this 
result is that for the first time a framework encompassing several quite 
distinct logic programming semantics is described, namely Generalized 
Annotated Logic Programs, Fuzzy Logic Programming, Hybrid Proba- 
bilistic Logic Programs, and Possibilistic Logic Programming. Moreover, 
the embedding provides a more general semantical structure paving the 
way for defining paraconsistent probabilistic reasoning logic program- 
ming semantics. 


1 Introduction 


The literature on logic programming theory is brimming with proposals of lan- 
guages and semantics for extensions of definite logic programs (e.g. [7,15,4,10]), 
i.e. without non-monotonic or default negation. Usually, the authors character- 
ize their programs with a model theoretic semantics, where a minimum model is 
guaranteed to exist, and a corresponding monotonic fixpoint operator (continu- 
ous or not). In many cases these semantics are many-valued. 

In this paper we start by defining a rather general framework of Residuated 
Logic Programs. We were inspired by the deep theoretical results of many-valued 
logics and fuzzy logic (see [1,9] for excellent accounts) and applied these ideas 
to logic programming. In fact, a preliminary work in this direction is [15], but 
the authors restrict themselves to a linearly ordered set of truth-values (the real 
closed interval [0, 1]) and to a very limited syntax: the head of rules is a literal and 
the body is a multiplication (t-norm) of literals. Our main semantical structures 
are residuated (or residual) lattices (c.f. [1,9]), where a generalized modus ponens 
rule is defined. This characterizes the essence of logic programming: from the 
truth-value of bodies for rules for an atom we can determine the truth-value of 
that atom, depending on the confidence in the rules. 
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Besides fuzzy reasoning, probabilistic reasoning forms are essential for knowl- 
edge representation in real-world applications. However, a major difficulty is that 
there are several logical ways of determining the probabilities of complex events 
(conjunctions or disjunctions) from primitive ones. To address this issue, a model 
theory, fixpoint theory and proof theory for hybrid probabilistic logic programs 
were recently introduced [4,3]. The generality of Residuated Logic Programming 
is illustrated in practice by presenting an embedding of Hybrid Probabilistc Logic 
Programs [4,3] into our framework. 

Our paper proceeds as follows. In the next section we present the residuated 
logic programs. Afterwards, we overview the hybrid probabilistic logic program- 
ming setting and subsequently provide the embedding. We finally draw some 
conclusions and point out future directions. We included the main proofs for the 
sake of completeness. 


2 Residuated Logic Programs 


The theoretical foundations of logic programming were clearly established 
in [11,14] for definite logic programs (see also [12]), i.e. programs made up of 
rules of the form Ap C Ar A...\ An(n > 0) where each A; (0 < i < n) is a propo- 
sitional symbol (an atom), C is classical implication, and A the usual Boolean 
conjunction!. In this section we generalize the language and semantics of defi- 
nite logic programs in order to encompass more complex bodies and heads and, 
evidently, multi-valued logics. For simplicity, we consider only the propositional 
(ground) case. 

In general, a logic programming semantics requires a notion of consequence 
(implication) which satisfies a generalization of Modus Ponens to a multi-valued 
setting. The generalization of Modus Ponens to multi-valued logics is very well 
understood, namely in Fuzzy Propositional Logics [13,1,9]. Since one of our initial 
goals was to capture Fuzzy Logic Programming [6,15], it was natural to adopt 
as semantical basis the residuated lattices (see [5,1]). This section summarizes 
the results fully presented and proved in [2]. We first require some definitions. 


Definition 1 (Adjoint pair). Let < P,xp> be a partially ordered set and 
(<—,@) a pair of binary operations in P such that: 


(a1) Operation @ is isotonic, t.e. if 41,%2,y € P such that x1 Xp x2 then 
(v1 @ y) Xp (€2 @y) and (y ® x1) Xp (y @ x2); 

(a2) Operation — is isotonic in the first argument (the consequent) and antitonic 
in the second argument (the antecedent), t.e. if 71, 72,y € P such that x1 <p 
2 then (x1 — y) Xp (2 — y) and (y — 22) Xp (y — 21); 

(a3) For any x,y,z € P, we have that x Xp (y <— z) holds if and only if 
(a ® z) Xp y holds. 


Then we say that (—,®) forms an adjoint pair in < P,<p>. 


' We remove the parentheses to simplify the reading of the rule. 
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The intuition of the two above properties is immediate, the third one may be 
more difficult to grasp. In one direction, it is simply asserting that the following 
Fuzzy Modus Ponens rule is valid (cf. [9]): 


If x is a lower bound of w= < y, and z is a lower bound of y then a lower 
bound y of w is x ® z. 


The other direction is ensuring that the truth-value of y — x is the maximal z 
satisfying 7 @ z Xp y. 

Besides (a1 )—(a3) it is necessary to impose extra conditions on the multiplica- 
tion operation (®), namely associativity, commutativity and existence of a unit 
element. It is also indispensable to assume the existence of a bottom element in 
the lattice of truth-values (the zero element). Formally: 


Definition 2 (Residuated Lattice). Consider the lattice < L,x,>. We say 
that (L=,—,®) is a residuated lattice whenever the following three conditions 
are met: 


(11) < L,x<z> is a bounded lattice, i.e. it has bottom (L) and top (T) elements; 
(lz) (—,®) ts an adjoint pair in < L,x<p,>; 
(ls) (Z,®,T) is a commutative monoid. 


We say that the residuated lattice is complete whenever < L,<z,> is complete. 
In this case, condition (l,) is immediately satisfied. 


Our main semantical structure is a residuated algebra, an algebra where a 
multiplication operation is defined, the corresponding residuum operation (or 
implication), and a constant representing the top element of the lattice of truth- 
values (whose set is the carrier of the algebra). They must define a complete 
residuated lattice, since we intend to deal with infinite programs (theories). Ob- 
viously, a residuated algebra may have additional operators. Formally: 


Definition 3 (Residuated Algebra). Consider a algebra K defining opera- 
tors —,® and T on carrier set Ty such that < is a partial order on Ty. We 
say that R is a residuated algebra with respect to (—,®) if Ges <—,®) is a com- 
plete residuated lattice. Furthermore, operator T is a constant mapped to the top 
element of Ty3. 


Our Residuated Logic Programs will be constructed from the abstract syntax 
induced by a residuated algebra and a set of propositional symbols. The way of 
relating syntax and semantics in such algebraic setting is well-known and we 
refer to [8] for more details. 


Definition 4 (Residuated Logic Programs). Let % be a residuated algebra 
with respect to (—,®,T). Let IT be a set of propositional symbols and the cor- 
responding algebra of formulae § freely generated from IT. A residuated logic 
program is a set of weighted rules of the form ((A —W),¥0) such that: 


1. The rule (A — W) is a formula of §; 
2. The confidence factor 0 is a truth-value of R belonging to Tx; 
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8. The head of the rule A is a propositional symbol of IT. 
4. The body formula © corresponds to an isotonic function with propositional 


symbols By,...,Bn (n> 0) as arguments. 
To simplify the notation, we represent the above pair as A ~ W(Bi,..., Bal, 
where By,..., By are the propositional variables occurring in W. Facts are rules 


of the form A ae 


A rule of a residuated logic program expresses a (monotonic) computation 
rule of the truth-value of the head propositional symbol from the truth-values 
of the symbols in the body. The monotonicity of the rule is guaranteed by iso- 
tonicity of formula W: if an argument of W is monotonically increased then the 
truth-value of W also monotonically increases. 

As usual, an interpretation is simply an assignment of truth-values to every 
propositional symbol in the language. To simplify the presentation we assume, 
throughout the rest of this section, that a residuated algebra % is given with 
respect to (<—, @, T). 


Definition 5 (Interpretation). An interpretation is a mapping I : II > Tx. 
It is well known that an interpretation extends uniquely to a valuation function I 
from the set of formulas to the set of truth values. The set of all interpretations 
with respect to the residuated algebra K is denoted by Lyx. 


The ordering ~ of the truth-values Jp; is extended to the set of interpretations 
as usual: 


Definition 6 (Lattice of interpretations). Consider the set of all interpreta- 
tions with respect to the residuated algebra K and the two interpretations I,, Iz € 
Im. Then, < Im,C> is a complete lattice where I) C Io iff Vpen Li(p) X Io(p). 
The least interpretation A maps every propositional symbol to the least element 
of Tx $ 


A rule of a residuated logic program is satisfied whenever the truth-value of 
the rule is greater or equal than the confidence factor associated with the rule. 
Formally: 


Definition 7. Consider an interpretation I € Ty. A weighted rule ((A — W), 3) 
is satisfied by I iff [((A—W)) = ¥. An interpretation I € Im is a model of a 
residuated logic program P iff all weighted rules in P are satisfied by I. 


Mark that we used / instead of J in the evaluation of the truth-value of a rule, 
since a complex formula is being evaluated instead of a propositional symbol. If 
< is the function in K defining the truth-table for the implication operator, 
the expression [ ((A — W)) is equal to 


T(A) —m [(W) = I(A) —m TV) 


The evaluation of [(W) proceeds inductively as usual, till all propositional sym- 
bols in W are reached and evaluated in J. 
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The immediate consequences operator of van Emden and Kowalski [14] is 
extended to the very general theoretical setting of residuated logic programs as 
follows: 


Definition 8. Let P be a residuated logic program. The monotonic immediate 
consequences operator Te : Tgp — Ip, mapping interpretations to interpreta- 
tions, is defined by: 


T3(1)(A) = lub {o @ i(W) such that A W[By,..., Bp] P} 


As remarked before, the monotonicity of the operator T>’ has been shown 
in [2]. The semantics of a residuated logic program is characterized by the post- 
fixpoints of TP: 


Theorem 1. An interpretation I of Ty; is a model of a residuated logic program 
P iff T} (1) ET. Moreover, the semantics of P is given by its least model which 
is exactly the least fixpoint of T?'. The least model of P and can be obtained by 
trasfinitely iterating T> from the least interpretation A. 


The major difference from classical logic programming is that our T>’ may 
not be continuous, and therefore more than w iterations may be necessary to 
reach the least fixpoint. This is unavoidable if of one wants to keep generality. 
All the other important results carry over to our general framework. 


3 Hybrid Probabilistic Logic Programs 


In this section we provide an overview of the main definitions and results in [4,3]. 
We do not address any of the aspects of the proof theory present in these works. 
A major motivation for the Hybrid Probabilistic Logic Programs is the need for 
combining several probabilistic reasoning forms within a general framework. To 
capture this generality, the authors introduced the new notion of probabilistic 
strategies. 

A first important remark is that the probabilites of compound events may be 
closed intervals in [0,1], and not simply real-valued probability assignments. The 
set of all closed intervals of [0,1] is denoted by C(0, 1]. Recall that the empty set 
© is a closed interval. In C[0, 1] two partial-orders are defined. Let [a, 6] € C[0, 1] 
and [c,d] € C[0, 1], then: 


— [a,b] <z [c,d] if a < c and b < d, meaning that [c, d] is closer to 1 than [a, }]. 
— [a,b] C [c,d] if c < a and 6 < d, meaning that [a,b] is more precise than 
[c, dj. 


The probabilistic strategies must obey the following natural properties: 


Definition 9 (Probabilistic strategy). A p-strategy is a pair of functions 
p=<oc,md> such that: 
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1. c: C[0,1] x C[0,1] — C[0,1] ts called a probabilistic composition function 

satisfying the following axioms: 

Commutativity: c([a1, b1], [a2, b2]) = c([a2, ba], [a1, b1]) 

Associativity: c(c([a1, b1], [a2, b2]), [a3, b3]) = c([a1, b1], c([a2, 62], [as, b3])) 

Inclusion Monotonicity: If [ai,b1] C [as3,63] then c([a1, bi], [a2,be]) C 
c(|as, bs}, [a2, b2]) 

Separation: There exist two functions c',c? : [0,1] x [0,1] — [0,1] such 
that e((a, 8) [c,d)) = [e'(a,¢),2(0,4)] 


2. md: C[0,1] > C[0,1] ts called a maximal interval function. 
The strategies are either conjuntive or disjunctive: 


Definition 10. A p-strategy < c,md > is called a conjunctive (disjunctive) p- 
strategy if it satisfies the following axioms: 


Conjunctive p-strategy Disjunctive p-strategy 


Bottomline |c([a1, bi], [a2,b2]) <: [max(a1, a2), max(by, b2)] 
[min(a1, a2), min(b1, b2)| |<z e({a1, b1], [a@2, b2]) 
Identity lea, [b 1) =(e,. lela, 01,10,0) = [5 
Annihilator |c([qa, 6], [0,0]) = [0,0] c({a, 6], (1, 1]) = [1, 1] 
Max. Interval|md((a, 6]) = [a, 1]) md([a, b]) = [0, 6] 


The syntax of hybrid probabilistic logic programs (hp-programs) is built on 
a first-order language L generated from finitely many constants and predicate 
symbols. Thus, the Herbrand base By of L is finite. Without loss of generality, 
we restrict the syntax to a propositional language: variables are not admitted in 
atoms. This simplifies the embedding into residuated logic programs. 

In a hp-program one can use arbitrary p-strategies. By definition, for each 
conjunctive p-strategy the existence of a corresponding disjunctive p-strategy is 
assumed, and vice-versa. Formally: 


Definition 11. Let CONT be a finite set of coherent conjunctive p-strategies 
and DISJ be a finite set of coherent disjunctive p-strategies. Let L denote 
CONT UDIST. If p © CONT then connective \, is called a p-annotated 
conjunction. If p € DISZF then V, is called a p-annotated disyunction. 


The elementary syntactic elements of hp-programs are basic formulas: 


Definition 12. Let p be a conjunctive p-strategy, p' be a disjunctive p-strategy 
and Ay, ... , Ap be atoms. Then Aj Ap AaAp...Ap Ap and A, Vp AgVpr...Vpt Ak 
are hybrid basic formulas. Let bf,(Bri) denote the set of all ground hybrid basic 
formulas for a connective. The set of ground hybrid basic formulas is bfc = 
Upecbfp(Br). 


Basic formulas are annotated with probability intervals. Here we differ 
from [4] where basic formulas can be additionally annotated with variables and 
functions. 
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Definition 13. A hybrid probabilistic annotated basic formula is an expression 
of the form B: where B is a hybrid basic formula and p € C(0, 1]. 


Finally, we can present the syntax of hybrid rules and hp-programs: 


Definition 14. A hybrid probabilistic program over the set L of p-strategies is 
a finite set of hp-clauses of the form Bo : wo — By: wr A...A Br: ux where 
each B; : pW; is a hp-annotated basic formula over L. 


Intuitively, an hp-clause means that “if the probability of By, falls in the 
interval j41 and... and the probability of B, falls within the interval uz, then 
the probability of Bo lies in the interval po”. Mark that the conjunction symbol 
A in the antecedent of hp-clauses should be interpreted as logical conjunction 
and should not be confused with a conjunctive p-strategy. 

The semantics of hp-programs is given by a fixpoint operator. Atomic func- 
tions are akin to our notion of interpretation and are functions f : Br — C[0, 1]. 
They may be extended to hybrid basic formulas. For this the notion of splitting 
a formula into two disjoint parts is necessary:: 


Definition 15. Let F = Fy *,...*) Fn, G= G1 *p...*)>Gr, H = Ay *p...*pHm 
where * € {A,V}. We write GO, H = F iff 


1. {Gi,...,Gr}U{M,..., Hm} ={Fi,..., Fa}, 
2. {Gi,...,Ge}A{M,...,Hm} = 2, 
3. k>Oandm> 0. 


The extension to atomic formulas is as follows: 


Definition 16. A hybrid formula function is a function h: bfc(Bri) — C(0, 1] 
which satisfies the following properties: 


1. Commutativity. If F = G, @, Ga then h(F) = h(Gi *, Ge). 

2. Composition. If F = G1 G, G2 then h(F) C ¢,(h(G1), h(G2)). 

3. Decomposition. For any basic formula F, h(F) C md,(h(F *, G) for all 
peLandG € bfc(Brz). 


Let hy and hz be two hybrid formula functions. We say that hi < he iff (VF € 
bfc(Bi)) hi(F) D he(F). In particular, this means that there is a minimum 
element of HF F mapping every hybrid basic formula to (0, 1]. 

The immediate consequences operator for hp-programs resorts to the follow- 
ing auxiliary operator. Again, we consider the ground case only: 


Definition 17. Let P be a hp-program. Operator Sp : HF F — HFF is defined 
as follows, where F is a basic formula. Sp(h)(F) =OM where M = {plF: we 
Fy: wiA...AF, : fn is an instance of some hp-clause in P and (Vj <n) h(F;) C 
jij}. Obviously, if M = @ then S'p(h)(F) = [0,1]. 


Definition 18. Let P be a hp-program. Operator Tp : HF F — HFF is defined 
as follows: 
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1. Let F be an atomic formula. 
(a) if Sp(h)(F) = © then Tp(h)(F) = @. 
(b) if Sp(h)(F) 4 @ then let M={<p,p>|(FO,G):u—FiipiA...A 
Fr: bn where * € {V,A}, p € £ and (Vj <n) A(F;) C pj}. We define 
Tp(h)(F) = (N{mdp(u)| < #, ep >€ M})N Sp(h)(F) 
2. If F is not atomic, then 
Tp(h)(P) = Sp(h)(F) 9 (0 {ep(Tp(h)\(G), Te(h)(A)) |G H = F})N 
({md,(u)| < u,p >€ M}) 
where M = {< p,p >| Di *)...*) De: wb — Ey: pi A... AN Em : 
lm such that (Vj <n) h(E;) C pw; and dy F 6, H = {Di,...,Dx}} 


A full explanation and intuition of the above operators can be found in [4]. 
Mark that the interval intersection operator M in operators Sp and Tp corre- 
sponds to the join operation in lattice C[0,1] ordered by containment relation 
>. For the continuation of our work it is enough to recall that the Tp opera- 
tor is monotonic (on the containment relation) and that it has a least fixpoint. 
Furthermore, the least model of a hp-program is given by the least fixpoint of 
Tp. We will base our results in these properties of the Tp operator. We end this 
section with a small example from [4], adapted to the ground case. 


Example 1. Assume that if the CEO of a company sells the stock, retires with 
the probability over 85% and we are ignorant about the relationship between the 
two events, then the probability that the stock of the company drops is 40-90%. 
However, if the CEO retires and sells the stock, but we know that the former 
entails the latter, then the probability that the stock of the company will drop 
is only 5-20%. This situation is formalized with the following two rules: 


price-drop:[0.4,0.9] — (ch-sells-stock Ajg- ch-retires) :[0.85,1] 
price-drop:[0.05,0.2] — (ch-sells-stock Apec ch-retires):[1,1] 


Where Ajge is a conjunctive ignorance p-strategy with cjgc([a1, 61], [a2, be]) = 
[max(0, a1 +a2—1), min(b1, b2)], and Apec is the positive correlation conjunctive 
p-strategy such that Cpec([ai, 61], [a2, b2]) = [min(ar, az), min(br, b2)]. 

Now assume we have the two facts ch-sells-stock:[1,1] and ch-retires:[0.9, 1). 
In this case, we obtain in the model of P that the probability of price-drop is in 
(0.4,0.9] since the first rule will fire and the second won’t. If instead of the above 
two facts we have (ch-sells-stock Aig- ch-retires):/1,1] then in the least fixpoint 
of Tp price-drop will be assigned @. 


4 Embedding of Hybrid Probabilistic Logic Programs 
into Residuated Logic Programs 


In this section we present the embedment result. This will require some effort. 
First, we need to define our underlying residuated lattice. We will not restrict 
ourselves to closed intervals of [0,1]. We require additional truth-values: 
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Definition 19. Let TNT be the set of pairs formed from values in [0,1]. We 
represent a value < a,b >€ INT by [a,b]. We say that [a,,b1] < [a2, be] iff 
ay = a2 and bo < by. 


A pair [a,b] in ZNT (with a < b) represents a non-empty closed interval of 
C[0,1]. The intuition for the remaining “intervals” of the form [c,d] with c > d 
will be provided later on, but we can advance now that they represent a form of 
inconsistent probability intervals. They correspond to @ in C[0, 1]. The relation 
<onZNT forms a partial order, and extends the containment relation of C[0, 1] 
to INT. In particular, [0,1] and [1,0] are, respectively, the least and greatest 
elements of ZT. These remarks are justified by the following two results: 


Proposition 1. The set TNT with the partial order forms a complete lattice 
with the following meet and join operators: 


[a1, bi] 1 [a2, b2] = [min(ar, a2), max(b1, b2)] 
[a1, bi] U [a2, b2] = [maa(ay, a2), min(b1, b2)] 
In general, consider the family {|a;, bi]},<, then 


ier [as, bi] = [inf {a | t € I}, sup {bi | t € Th] 
ier [as, bi] = [sup {as | € I}, inf {bi | t € T}] 


Proposition 2. Consider the mapping = from INT to C[0,1] such that [a, b] = 
[a,b] of a < b, otherwise it is @. Let [a1, bi] and [a2, be] belong to C[0,1]. Then, 


(a1, bi] NM [aa, bo] = (a1, bi] u [a2, bg] 


Example 2. Consider the intervals [0.5,0.7|] and [0.6,0.9]. Their intersection is 
(0.6,0.7] which is identical to their join in lattice ZVT7. Now, the intervals 
(0.5,0.7] and [0.8,0.9] have empty intersection. However their join is [0.8, 0.7]. 
This will mean that there is some inconsistency in the assignment of probability 
intervals. In fact, we know that there is a gap from [0.7,0.8]. Thus, [0.8, 0.7] is 
SD. 

The interpretation is a little more complex when more than two intervals are 
involved in the join operation. The intersection of [0.1, 0.2], [0.4, 0.6] and [0.7, 0.9] 
is empty again. Their join is [0.7,0.2], meaning that the leftmost interval ends 


at 0.2 while the rightmost begins at 0.7. Again, [0.7,0.2] = 2. 


We have seen that the meet and join operations perform the union and in- 
tersection of “intervals” of ZNT, respectively. Our objective is to construct a 
residuated lattice from ZNT and the meet operation, which will be the multi- 
plication operation. The adjoint residuum operation (implication) is defined as 
follows: 
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Definition 20. Let [a1, bi] and [a2, bg] belong to TNT. Then: 


[1,0] tfar<a and by > by 

= [1 ,b1] if ag < ay and bz < b1 

lan, bs] — [a2, ba] = [a1,0] if ag > ay and by > by 
[a1 ,b1] 


ay,b1 if a2 > ay and bo < by; 


The result of the residuum operation is not obvious but still intuitive. In 
fact, we are testing whether [az, bz] contains [a,b] (ie. if [a1,b1] > [a2, b2]) 
and how [a2, bz] should be extended in order to satisfy the inclusion. If the first 
(second) component of [a,, bi] << [a2, be] is 1 (respectively 0) we do not have to 
do anything to [a2, b2]. Otherwise, a2 (resp. bz) should be reduced (increased) to 


a, (b1). Notice again that [1,0] is our top element in lattice INT. 


Theorem 2. The operations (<«,N) form an adjoint pair in the partially or- 
dered set < INT, <>. 


Clearly, the structure < ZNT,<,M > is a complete residuated lattice, with 
top element [1,0]. A corresponding residuated algebra is easily constructed. We 
proceed by presenting a result which will enable the embedding of hybrid prob- 
abilistic logic programs into residuated logic programs: 


Theorem 3. Consider the operator T which is identical to Tp except for when 
its argument formula F is not atomic; then: 


Tp(h)(F) = Sp(h)(F) 9 (A {ep(h(G), R(A)) | GH = F})N 
({mdp(u)| < p,p > M}) 


with M defined as before. Then h is a fixpoint of Tp iff h is a fixpoint of Ty. 


Proof: The only difference between the operators is that we have replaced 
Co(Tp(h)(G), Tp(h)(H)) in Tp by cp(h(G), h(H)) in Tp. Clearly, if h is a fixpoint 
of Tp then it is also a fixpoint of T,, since h = Tp(h) we can substitute h by 
Tp(h) in the definition of T; getting Tp. For the other direction, we prove the 
result by induction on the number of atoms in F’. If F' is atomic then Tp(h) = 
Tp(h), by definition. Otherwise, F’ is not an atomic formula. Since h is a fixpoint 
of Tp we have: 


Tp(h)(F) = Sp(h)( 


= Sp(h)\(F) 9 (9 feo(Tp(h)(G), Tp(h)(H)) |G@eH = F})N 


But clearly G and H have a smaller number of atoms. So, from the induction hy- 
pothesis we know that T,(h)(G) = Tp(h)(G) and Tp(h)(H) = Tp(h)(). Sub- 
stituting these equalities into the above equation we get T(h)(F) = Sp(h)(F) 
(N {ep(Tp(h)(G), Te(h)(H)) |G OH = F})N ({mdp(u)| < up >€ M}) which 
is Tp(h)(F). 


3 
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Before we present the embedding, we need some auxiliary functions in TNT: 


Definition 21. The double bar function = from INT to INT and the functions 
$n: INT > INT where p in INT are defined as follows: 


=) en teen WOES Neh 


(a, b], otherwise. , 1], otherwise. 


The above functions are clearly monotonic. Furthermore, the s, functions 
are “two-valued” and will be used to perform the comparisons in the rule bodies 
of a probabilistic logic program. Now, the embedding is immediate: 


Definition 22. Consider the hp-program P on the set of p-strategies L. First, 
we construct the residual algebra 3 from the carrier set TNT, and operations —, 
n, ep(p € L), sp(u € INT), the double bar function, and the top constant [1,0]. 
Next, we build the residuated logic program Ph» from P as follows, where every 
ground hybrid basic formula in bf is viewed as a new propositional symbol? in 
the language of Php. 


1. For each rule in P of the form F': 1 — Fy: py A...\ Fe: ux we add to Phy 
the rule? F a Suny (F) Wesel T Spay (Fr). 


2. For every, F, G, and H in bfc such that H = FO,G, and p is a conjunctive 
p-strategy, then for every rule H : [a,b] — Ey: pi A...\ Em: bm in P we 


a,l —" —— 
add to Php the rule F bas Sy (1) 1... Sy, (En). 


3. For every, F, G, and H in bfc such that H = F'®,G, and p is a disjunctive 
p-strategy, then for every rule H : [a,b] — Ey: pr A...\ Em: bm in P we 


0,b = — 
add to Php the rule F fase Sut (Zi) [Vee xR) Spe. (Em). 


4. Finally, for every F, G, and H in bf such that F = G ®, H then include 
1,0 ——— 
in Php the rule F ee Cp (G. Hl). 


Some remarks are necessary to fully clarify the above translation. First, the cp 
functions were previously defined on domain C/(0, 1]. It is required to extend them 
to INT. For elements of ZNVT isomorphic to elements of C[0,1] the functions 
should coincide. For values in ZNVT not in C[0,1] the functions c, can take 
arbitrary values, since in the embedding the arguments of these functions always 
take values from C[0, 1]. 

Also, the above translation produces a residuated logic program. The rules 
belong to the algebra of formulae freely generated from the set of propositional 


? Without loss of generality, we assume that the ocurrences of atoms in each hybrid 
basic formula are ordered according to some total order in the set of all atoms. 
3 We assign to the body of translated facts the top constant [1, 0]. 
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symbols and operators in the corresponding residual algebra. Thus, when eval- 


uating F< 8), (F) Pl ase DNSyay (Fr) with respect to interpretation I we really 


mean I(F’) — s,, (7A) ace TUS yay (7A), as usual. It should be clear that 
every body formula is isotonic on its arguments: for the first three types of rules 
the body is the composition of isotonic functions and therefore the resulting 
function is also isotonic. The probabilistic composition functions are isotonic by 
definition (check Definition 9). 

The rules introduced in the fourth step are exponential in the number of 
atoms (width) in F’. This is expected since it is known that the computation of 
the least fixpoint of an HPP is exponential in the width of the largest formula 
of interest, as shown in [3]. The complexity of the entailment and consistency 
problems for HPPs are more subtle and the reader is referred again to [3] for 
these profound results. 


Theorem 4. Let P be a hybrid probabilistic logic program and Php the corre- 
sponding residuated logic program over 3. Let h be the least fixpoint of TP, and 


h’ be the least fixpoint of T>. Then, for every F in bfc, we have h'(F) = h(F). 


Proof: We will prove that for every F' in bf¢ we have Tp {° (F’) = TP, T° (F). 
To simplify notation we drop the subscripts in the operators. The proof is by 
transfinite induction on a: 


a@=0: Trivial since every hybrid basic formula is mapped to [0,1] in both op- 


erators. 
Sucessor ordinal a = 3+ 1: Let h’ = T’ 78 and h = T? 7%. By induction 
hypothesis we know that for every F’ in bf¢ we have h'(F) = h(F). The 


essential point is that h’(F’) C p iff s, (2(F)) = [1,0]. Therefore, we have 

the body of a rule in P satisfied by h’ iff the body of the corresponding 

rule in Pp, evaluates to [1,0]. Otherwise, the body of the rule in Ph,» has 

truth-value [0, 1]. 

Rules of the first kind in the embedding implement the S'p operator because 
T?(h)(F) =|] {u h (sun (F) Bigscheays (F)) 

such that F & Si (F) MM... Sp, (Fr) € Pr} 

=[L]) NM [1,0] such that F a Spy (7) MN... Sp, (Fr) € Php 

and h (sus (F) Nscohb Sig (F)) = (1,0]} 
=L]{u where F: p— Fy: py A... A Fy : px is satisfied by h’} 


Rules of the second and third kind extract the maximal interval associated 
with F with respect to connective p. By definition, we know that the maxi- 
mal interval md,((a, b]) is [a, 1] for a conjunctive p-strategy p, or [0, 6] if pisa 
disjunctive p-strategy. Therefore the rules of the second and third kind imple- 
ment | _|{md,()| < p, ep >€ M} for both cases 1b) and 2 of Definition 18. Fi- 
nally, the remaining rules compute |_| {c,(h/(G), h'(H)) |G@H = F}. The 
result immediately follows from Proposition 2. 
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Limit ordinal a other than 0: We have to show that 


Arrvwr= [ree 


B<a B<a 


Suppose for every 3 < a we have T’ }? (F) #4 @. This means that T’ 1? 
(F) = T°? [8 (F). The result then follows again from Proposition 2. 

If for some (3 it is the case that T’ 1° (F) = @ this means T’ {* (F) = @. By 
induction hypothesis, T? 1° (F) = [ag, bg] with ag > bg. Let T? 1% (F) = 
[aa, ba]. We conclude [ag, bg] < [aa, ba] by monotonicity of T?, ie. dq > ag 
and bg > ba. Obviously, ag > ba and the theorem holds. 


By Theorem 3 we conclude immediately that IfpT* is the least fixpoint 
of Dekhtyar and Subrahmanian’s Tp operator, and the embedding is proved. 
The convergence of the process is guaranteed both by the properties of the Tp 
operator and the fixpoint results for residuated logic programs. We now return 
to Example 1 to illustrate the embedding. For simplicity, we ignore the rules 
generated in the fourth step for annotated disjunctions since they will not be 
required. 


Example 8. The first two rules will be encoded as follows: 


3 [0.4,0.9] SS 
price-drop) = — $99.5,1) (ch-sells-stock Nige ch-retires) 


4 [0.05,0.2] ——————————— 
price-drop) = — 871,1] (ch-sells-stock A\pce ch-retires) 


Additionally, the following two rules will be introduced by the fourth step in the 
transformation: 


{1,0] i —————— 
ch-sells-stock Ajgc ch-retires 4 Cige (ch-sells-stock, ch-retires) 


[1,0] OO 
ch-sells-stock Apec ch-retires — Cpec (ch-sells-stock, ch-retires) 
In the first situation, the two facts will be translated to 


[1,1] 
ch-sells-stock — [1,0] 


(0.9,1] 
ch-retires << [1,0] 


In the least fixpoint of T? the literals ch-sells-stock and ch-retires have truth- 
value [1,1] and [0.9, 1], respectively. From this we obtain for the literals repre- 
senting hybrid basic formulas ch-sells-stock \igc ch-retires and ch-sells-stock Apec 
ch-retires the same truth-value of [0.9, 1]. Finally, we obtain the interval [0.4, 0.9] 
by application of the first rule. 
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The fact (ch-sells-stock Ajg- ch-retires):[1,1] will be encoded instead as fol- 
lows, by application of the first and second rules: 


11 
ch-sells-stock Age ch-retires ne, (1, 0] 
11 
ch-sells-stock i (1, 0] 


(1,1] 
ch-retires —~ [1,0] 


From the above facts we conclude that ch-sells-stock \pec ch-retires gets truth- 
value [1,1], and by application of the rules for price-drop we obtain for this literal 
the assignment [0.4, 0.2], and as expected [0.4,0.2] = @. 


We conclude by remarking that the substitution of F’: yp by s, (F) instead 


of by s, (£) in the transformed program is of the essence. Otherwise, we could 
get different semantics when some literal is mapped to @. However, it is not 
clear what is the better semantics in that case, and further work is necessary. 
We illustrate the distinction in the next example: 


Example 4. Consider the hp-program: 
a: [0.5,0.7] — a: [0.8,0.9] — b: [1,1] — a: [0.9, 0.95] 
According to the transformation of Definition 22 we have: 


[0.5,0.7] [0.8,0.9] [1,1 = 
a + [1,0] a (1,0) b <~ 810.9,0.95] (a) 


In the model of the program a is mapped to [0.8,0.7] and 6 to [1,1]. Now, if we 


11 
translate the rule for b as b ee S10.9,0.95](@), literal a is still mapped to (0.8, 0.7]. 
However, the body of the rule for b has truth-value [0,1], and 6 also has this 
value, since [1,1] [0,1] = [0, 1]. 


5 Conclusions and Further Work 


The major contribution of this paper is the generality of our setting, both at 
the language and the semantic level. We presented an algebraic characterization 
of Residuated Logic Programs. Program rules have arbitrary monotonic body 
functions and our semantical structures are residuated lattices, where a general- 
ized form of Modus Ponens Rule is valid. After having defined an implication (or 
residuum operator) and the associated multiplication (t-norm in the fuzzy logic 
setting) we obtain a logic programming semantics with corresponding model and 
fixpoint theory. 

The embedding of hybrid probabilistic logic programs into residuated logic 
programs relies on a generalization of the complete lattice of closed intervals in 
(0, 1]. The extra truth-values capture invalid probability interval assignments, not 
used in [4]. The program transformation capturing the hp-semantics is a direct 
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translation of the fixpoint conditions on a logic program. This aspect illustrates 
the generality and potential of our approach. Besides hp-programs we have shown 
that Generalized Annotated Logic Programs, Fuzzy Logic Programming, and 
Possibilistic Logic Programming are all captured by Residuated Logic Programs. 
These results could not be included for lack of space. 

Our work paves the way to combine and integrate several forms of reasoning 
into a single framework, namely fuzzy, probabilistic, uncertain, and paracon- 
sistent. We have also defined another class of logic programs, extending the 
Residuated one, where rule bodies can be anti-monotonic functions, with Well- 
Founded and Stable Model like semantics. This brings together non-monotonic 
and incomplete forms of reasoning to those listed before. It will be the subject 
of a forthcoming paper. 
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Abstract. A framework to deal with spatial patterns at the qualitative 
level of mereotopology is proposed. The main contribution is to provide 
formal tools for issues of model equivalence and model similarity. The 
framework uses a multi-modal language $4, interpreted on topological 
spaces (rather than Kripke semantics) to describe the spatial patterns. 
Model theoretic notions such as topological bisimulations and topological 
model comparison games are introduced to define a distance on the space 
of all topological models for the language S4,,. In the process, a new take 
on mereotopology is given, prompting for a comparison with prominent 
systems, such as RCC. 


Keywords: qualitative spatial reasoning, RCC, mereotopology, model 
comparison games 


1 Introduction 


There are various ways to take space qualitatively. Topology, orientation or dis- 
tance have been investigated in a non-quantitative manner. The literature espe- 
cially is abundant in mereotopological theories, i.e. theories of parthood P and 
connection C. Even though the two primitives can be axiomatized independently, 
the definition of part in terms of connection suffices for AI applications. Usually, 
some fragment of topology is axiomatized and set inclusion is used to interpret 
parthood (see the first four chapters of [9] for a complete overview). 

Most of the efforts in mereotopology have gone into the axiomatization of the 
specific theories, disregarding important model theoretic questions. Issues such 
as model equivalence are seldom (if ever) addressed. Seeing an old friend from 
high-school yields an immediate comparison with the image one had from the 
school days. Most often, one immediately notices how many aesthetic features 
have changed. Recognizing a place as one already visited involves comparing the 
present sensory input against memories of the past sensory inputs. “Are these 
trees the same as I saw six hours ago, or are they arranged differently?” An image 
retrieval system seldom yields an exact match, more often it yields a series of 
‘close’ matches. In computer vision, object occlusion cannot be disregarded. One 
‘sees’ a number of features of an object and compares them with other sets of 
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features to perform object recognition. Vision is not a matter of precise matching, 
it is more closely related to similarity. The core of the problem lies in the precise 
definition of ‘close’ match, thus the question shall be: How similar are two spatial 
patterns ? 

In this paper, a general framework for mereotopology is presented, providing 
a language that subsumes many of the previously proposed ones, and then model 
theoretic questions are addressed. Not only a notion of model equivalence is 
provided, but also a precise definition of distance between models. 


2 A General Framework for Mereotopology 


2.1 The Language S4,, 


The proposed framework takes the beaten road of mereotopology by extending 
topology with a mereological theory based on the interpretation of set inclusion 
as parthood. Hence, a brief recall here of the basic topological definitions is in 
order. 

A topological space is a couple (X,O), where X is a set and O C P(X) such 
that: 6 € O, X € O, O is closed under arbitrary union, O is closed under finite 
intersection. An element of O is called an open. A subset A of X is called closed 
if X — A is open. The interior of a set A C X is the union of all open sets 
contained in A. The closure of a set A C X is the intersection of all closed sets 
containing A. 

To capture a considerable fragment of topological notions a multi-modal 
language S4,, interpreted on topological spaces (& la Tarski [17]) is used. A 
topological model M = (X,O,v) is a topological space (X,O) equipped with a 
valuation function vy: P — P(X), where P is the set of proposition letters of 
the language. 

The definition and interpretation of $4, follows that given in [2]. In that 
paper though, emphasis is given to the topological expressivity of the language 
rather than the mereotopological implications. Every formula of $4, represents 
a region. Two modalities are available. Oy to be interpreted as “interior of the 
region y”, and Uy to be interpreted as “it is the case everywhere that vy.” The 
truth definition can now be given. Consider a topological model M = (X,O,v) 
and a point x € X: 


M,x Ep iff «x € v(p)(with p € P) 
M,x E79 iff not M,xE-y 
Myre ew iff not M,x-E yor M,rew 
M,x — Op iff doe O: rEon 

Vyeo: Myke 
M,x - Uy iff VWyEex: Myke 
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Since C is interpreted as interior and © (defined dually as Op — 7=O-y, for 
all y) as closure, it is not a surprise that these modalities obey the following 
axioms’, [17]: 


AvA (T) 
A—dOOA (4) 
(N) 
AAOB=O(AA B) (R) 


(4) is idempotence, while (N) and (R) are immediately identifiable in the def- 
inition of topological space. For the universal—existential modalities U and E 
(defined dually: Ey — =U-y) the axioms are those of S5: 


U(y >) > (Ue — Up) (kK 
Up (T 
Uy — UU (4 
prUEp (B 


we > WH WH 


In addition, the following ‘connecting’ principle is part of the axioms: 
g g 


The language S4,, is thus a multi-modal S4*S5 logic interpreted on topological 
spaces. Extending $4 with universal and existential operators to get rid of its 
intrinsic ‘locality’ is a known technique used in modal logic, [12]. In the spa- 
tial context, similar settings have been used initially in [7] to encode decidable 
fragments of the region connection calculus RCC (the fundamental and most 
widely used qualitative spatial reasoning calculi in the field of AI, [14]), then 
by [15] to identify maximal tractable fragments of RCC and, recently, by [16]. 
Even though the logical technique is similar to that of [7,15], there are two im- 
portant differences. First, in the proposed use of 54, there is no commitment to 
a specific definition of connection (as RCC does by forcing the intersection of 
two regions to be non-empty). Second, the stress is on model equivalence and 
model comparison issues, not only spatial representation. On the other hand, 
there is no treatment here of consistency checking problems, leaving them for 
future investigation. 


2.2. Expressivity 


The language S4,, is perfectly suited to express mereotopological concepts. Part- 
hood P: a region A is part of another region B if it is the case everywhere that 
A implies B: 


P(A,B) :=U(A — B) 


' The axiomatization of O given is known as $4. Usually thought $4’s axiomatization 
is given replacing axioms (N) and (R) by (K), see [7]. 
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This captures exactly the set-inclusion relation of the models. As for connection 
C, two regions A and B are connected if there exists a point where both A and 
B are true: 


C(A,B) := E(AA B) 


From here it is immediate to define all the usual mereotopological predicates 
such as proper part, tangential part, overlap, external connection, and so on. 
Notice that the choice made in defining P and C is arbitrary. So, why not take a 
more restrictive definition of parthood? Say, A is part of B whenever the closure 
of A is contained in the interior of B? 


P(A,B) :=U(OA — OB) 


As this formula shows, $4, is expressive enough to capture also this definition 
of parthood. In [10], the logical space of mereotopological theories is system- 
atized. Based on the intended interpretation of the connection predicate C, and 
the consequent interpretation of P (and fusion operation), a type is assigned to 
mereotopological theories. More precisely, a type is a triple rt = (i,j,k), where 
the first 2 refers to the adopted definition of Ci, 7 to that of P; and k to the 
sort of fusion. The index 7, referring to the connection predicate C, accounts for 
the different definition of connection at the topological level. Using $4, one can 
repeat here the three types of connection: 


C,(A,B):= E(A A B) 
Co(A,B):= E(AA OB) V E(OAA B) 
C3(A, B):= E(OAA OB) 
Looking at previous mereotopological literature, one remarks that RCC uses a C3 
definition, while the system proposed in [4] uses a C;. Similarly to connectedness, 
one can distinguish the various types of parthood, again in terms of $4,: 
P,(A,B):= U(A > B) 
Po(A,B):= U(A > OB) 
P3(A,B):= U(OA > OB) 
In [10], the definitions of the C; are given directly in terms of topology, and the 
definitions of P; in terms of a first order language with the addition of a predicate 
C;. Finally, a general fusion ¢, is defined in terms of a first order language with 
a C; predicate. Fusion operations are like algebraic operations on regions, such 
as adding two regions (product), or subtracting two regions. One cannot repeat 
the general definition given in [10] at the S$4,, level. Though, one can show that 
various instances of fusion operations are expressible in $4,,. For example, the 
product A x, B: 
Ax 1, B= AAB 
A xoB:=(OAA B)V (AA OB) 
Ax3B:=(OAA OB) 
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The above discussion has shown that $4, is a general language for mereotopology. 
All the different types + = (i,j,k) of mereotopological theories are expressible 
within S4,,. 


RCC 
First-Order Logic 


Modal Fragment of 
First-Order Logic 


Fig.1. The positioning of $4,, and RCC with respect to well-known logics. 


Before diving into the similarity results of this paper a remark is in order. 
The language S4,, is a multi-modal language with nice computational properties. 
It is complete with respect to topological models, it is decidable, it has the finite 
model property (see [3] for the proofs of these facts). It captures a large and “well- 
behaved” fragment of mereotopology, though it is not a first-order language. In 
other words, it is not possible to quantify over regions. A comparison with the 
best-known RCC is in order. 


Comparison with RCC RCC is a first order language with a distinguished 
connection predicate C3. The driving idea behind this qualitative theory of space 
is that regions of space are primitive objects and connection is the basic predi- 
cate. This reflects in the main difference between RCC and the proposed system, 
which instead builds on traditional point-based topology. 


RCC and S4, capture different portions of mereotopology. 


To show this, two formulas are given: an RCC formula which is not expressible 
in S4,, and, vice-versa, one expressible in S4,,, but not in RCC. The situation is 
depicted in Figure 1. In RCC, one can write: 


VAAIB: P(A, B) (a) 


meaning that every region is part of another one (think of the entire space). On 
the other hand, one can write a S4,, formula such as: 


AE(p A OO-p) (3) 


which expresses the regularity of the region p. It is easy to see that a@ is not 
expressible in $4,, and that @ is not in RCC. 
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This fact may though be misleading. It is not the motivations, nor the core 
philosophical intuitions that draw the line between RCC and S4,,. Rather, it 
is the logical apparatus which makes the difference. To boost the similarities, 
next it is shown how the main predicates of RCC can be expressed within S4,,. 
Consider the case of RCC8: 


RCC8 S4u Interpretation 

Dc(A, B) AE(AA B) A is DisConnected from B 

EC(A, B) E(CAAOB)A A and B are Externally Connected 
AE( AN B) 

PO(A, B) E(AA B)A E(AAAB)A A and B Properly Overlap 
E(7-A A B) 

TPP(A,B) |U(A— B)A A is a Tangential Proper Part of B 
E(OAAOBA O7AAO-B) 

NTPP(A,B) |U(OA— OB) A is a Non Tangential Proper Part of B 

TPPi(A,B) |U(B — A)A The inverse of the TTP predicate 


E(OBASAAOABAOAA) 


NTPPi(A, B)|U(OB — OA) The inverse of the NTTP predicate 


EQ(A, B) U(A = B) A and B are EQual 


Indeed one can define the same predicates as RCC8, but as remarked before the 
nature of the approach is quite different. Take for instance the non tangential 
part predicate. In RCC it is defined by means of the non existence of a third 
entity C: 


NTTP(A, B) iff P(A, B) A =P(B, A) A ASCTEC(C, A) A EC(C, B)] 


On the other hand, in $4, it is simply a matter of topological operations. As 
in the previous table, for NTTP(A, B) it is sufficient to take the interior of the 
containing region OB, the closure of the contained region ©A and check if all 
points that satisfy the latter ©A also satisfy the former OB. 

The RCC and $4, are even more similar if one takes the perspective of looking 
at RCC’s modal decidable encoding of Bennett, [7]. Bennett’s approach is to start 
from Tarski’s original interpretation of modal logic in terms of topological spaces 
(Tarski proves $4 to be the complete logic of all topological spaces) and then to 
increase the expressive power of the language by means of a universal modality. 
The positive side effect is that the languages obtained in this manner usually 
maintain nice computational properties. The road to 54, has followed the same 
path and was inspired by Bennett’s original work. 
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Here is the most important difference of the two approaches: the motivation 
for the work of Bennett comes from RCC, the one for the proposed framework 
from topology. $4, keeps a general topological view on spatial reasoning, it gives 
means to express more of the topological intricacy of the regions in comparison 
with RCC. For example regularity is not enforced by axioms (like in RCC), but it 
is expressible directly by a $4,, formula (3). More on the ‘topological expressive 
power’ of S4 and its universal extension can be found in [2]. 


3 When Are Two Spatial Patterns the Same? 


One is now ready to address questions such as: When are two spatial patterns 
the same? or When is a pattern a sub-pattern of another one? More formally, 
one wants to define a notion of equivalence adequate for $4, and the topological 
models. In first-order logic the notion of ‘partial isomorphism’ is the building 
block of model equivalence. Since S4,, is multi-modal language, one resorts to 
bisimulation, which is the modal analogue of partial isomorphism. Bisimulations 
compare models in a structured sense, ‘just enough’ to ensure the truth of the 
same modal formulas [8,13]. 


Definition 1 (Topological bisimulation). Given two topological models 
(X,O,v), (X’,O',’), a total topological bisimulation is a non-empty relation 
C X x X’ defined for all 2 € X and for all x’ € X’ such that if 7s 2’: 


(base): x € v(p) iff x’ € v'(p) (for any proposition letter p) 


(forth condition): if «€o€O then 
do! € O': #' €o' and Wy’ €o': Jyeco:ysy’ 


(back condition): if 2’ € o' € O' then 
doe O:x2€oand Wyeo: Fy ed :ysy’ 


If only conditions (i) and (ii) hold, the second model simulates the first one. 


The notion of bisimulation is used to answer questions of ‘sameness’ of models, 
while simulation will serve the purpose of identifying sub-patterns. Though, one 
must show that the above definition is adequate with respect to the mereotopo- 
logical framework provided in this paper. 


Theorem 1. Let M = (X,O,v), M’ = (X',O',) be two models, x € X, and 
x’ € X"' bisimilar points. Then, for any modal formula yp in S4y,, M,x & oy iff 
M',2’ Ey. 


Theorem 2. Let M = (X,O,v), M’ = (X’,O'",u’) be two models with finite 
O, O',x € X, andx’ € X' such that for every yp in S4u, M,x — v iff M’,2’ - ¢. 
Then there exists a total bisimulation between M and M’ connecting x and x’. 
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In words, extended modal formulas are invariant under total bisimulations, while 
finite modally equivalent models are totally bisimilar. The proofs are straight- 
forward extensions of those of Theorem 1 and Theorem 2 in [2], respectively. In 
the case of Theorem 1, the inductive step must be extended also to consider the 
universal and existential modalities; while for Theorem 2, one needs to add an 
universal quantification over all points of the two equivalent models. One may 
notice, that in Theorem 2 a finiteness restriction is posed on the open sets. This 
will not surprise the modal logician, since the same kind of restriction holds for 
Kripke semantics and does not affect the proposed use for bisimulations in the 
mereotopological framework. 


4 How Different Are Two Spatial Patterns? 


If topological bisimulation is satisfactory from the formal point of view, one 
needs more to address qualitative spatial reasoning problems and computer vi- 
sion issues. If two models are not bisimilar, or one does not simulate the other, 
one must be able to quantify the difference between the two models. Further- 
more, this difference should behave in a coherent manner across the class of all 
models. Informally, one needs to answer questions like: How different are two 
spatial patterns? 

To this end, the game theoretic definition of topo-games as in [2] is recalled, 
and the prove of the main result of this paper follows, namely the fact that 
topo-games induce a distance on the space of all topological models for S4,. 
First, the definition and the theorem that ties together the topo-games, 54, and 
topological models is given. 


Definition 2 (Topo-game). Consider two topological models (X,O,v), (X’, 
O’,v’) and a natural number n. A topo-game of length n, notation TG(X, X’,n), 
consists of n rounds between two players, Spoiler and Duplicator, who move 
alternatively. Spoiler is granted the first move and always the choice of which 
type of round to engage, either global or local. The two sorts of rounds are 
defined as follows: 


— global 
(i) Spoiler chooses a model X, and picks a point %, anywhere in X, 
(ii) Duplicator chooses a point Zq anywhere in the other model Xq 


— local 
(i) Spoiler chooses a model X, and an open o, containing the current point 
az, of that model 
(ii) Duplicator chooses an open og in the other model Xq containing the 
current point xq of that model 
(iii) Spoiler picks a point Zq in Duplicator’s open og in the Xq model 
(iv) Duplicator replies by picking a point Z, in Spoiler’s open o, in X, 
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The points , and Zq become the new current points. A game always starts by 
a global round. By this succession of actions, two sequences are built. The form 
after n rounds is: 


{x1, £2, 23, te , tint 


{x}, 25,23, ae ae 


After n rounds, if x; and x} (with i € [1,n]) satisfy the same propositional 
atoms, Duplicator wins, otherwise, Spoiler wins. A winning strategy (w.s.) for 
Duplicator is a function from any sequence of moves by Spoiler to appropriate 
responses which always end in a win for him. Spoiler’s winning strategies are 
defined dually. 


The multi-modal rank of a $4,, formula is the maximum number of nested modal 
operators appearing in it (i.e. O, ©, U and E modalities). The following adequacy 
of the games with respect to the mereotopological language holds. 


Theorem 3 (Adequacy). Duplicator has a winning strategy for n rounds in 
TG(X, X’,n) iff X and X’ satisfy the same formulas of multi-modal rank at 
most n. 


The reader is referred to [2] for a proof, various examples of plays and a discussion 
of winning strategies. 

The interesting result is that of having a game theoretic tool to compare 
topological models. Given any two models, they can be played upon. If Spoiler 
has a winning strategy in a certain number of rounds, then the two models are 
different up to a certain degree. The degree is exactly the minimal number of 
rounds needed by Spoiler to win. On the other hand, one knows (see [2]) that if 
Spoiler has no w.s. in any number of rounds, and therefore Duplicator has in all 
games, including the infinite round game, then the two models are bisimilar. 

A way of comparing any two given models is not of great use by itself. It 
is essential instead to have some kind of measure. It turns out that topo-games 
can be used to define a distance measure. 


Definition 3 (isosceles topo-distance). Consider the space of all topological 
models T. Spoiler’s shortest possible win is the function spw : T xT — INU{oo}, 
defined as: 


n if Spoiler has a winning 
strategy in TG(X1, X2,n), 
but not in TG(X1, X2,n — 1) 
spw(X1, Xo) = 
co if Spoiler does not have a 
winning strategy in 
TG(X1, X2, 00) 
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Fig. 2. On the left, three models and their relative distance. On the right, the 
distinguishing formulas. 


The isosceles topo-model distance (topo-distance, for short) between X; and X2 
is the function tmd : T x T — [0, 1] defined as: 


1 
tmd(X1, X2) spw(X1, X2) 
The distance was named ‘isosceles’ since it satisfies the triangular property in 
a peculiar manner. Given three models, two of the distances among them (two 
sides of the triangle) are always the same and the remaining distance (the other 
side of the triangle) is smaller or equal. On the left of Figure 2, three models are 
displayed: a spoon, a fork and a plate. Think these cutlery objects as subsets of 
a dense space, such as the real plane, which evaluate to ¢, while the background 
of the items evaluates to -¢. The isosceles topo-distance is displayed on the left 
next to the arrow connecting two models. For instance, the distance between 
the fork and the spoon is $ since the minimum number of rounds that Spoiler 
needs to win the game is 2. To see this, consider the formula EO¢, which is true 
on the spoon (there exists an interior point of the region ¢ associated with the 
spoon) but not on the fork (which has no interior points). On the right of the 
figure, the formulas used by spoiler to win the three games between the fork, the 
spoon and the plate are shown. Next the proof that tmd is really a distance, in 
particular the triangular property, exemplified in Figure 2, is always satisfied by 
any three topological models. 
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Theorem 4 (isosceles topo-model distance). tmd is a distance measure on 
the space of all topological models. 


Proof. tmd satisfies the three properties of distances; i.e., for all X1, X2q € T: 


(i) tmd(X1, X2) = 0 and tmd(X1, X2) = 0 iff Xy = X2 
(ii) tmd(X1, X2) — tmd(X2, X1) 
(iii) tmd(X1, Xp) + tmd(Xo, X3) Pa tmd(X1, X3) 


As for (i), from the definition of topo-games it follows that the amount of rounds 
that can be played is a positive quantity. Furthermore, the interpretation of 
X, = X2 is that the spaces X,, Xo satisfy the same modal formulas. If Spoiler 
does not have a ws. in limp—+o TG(X1, X2,n) then X1, X2 satisfy the same 
modal formulas. Thus, one correctly gets 


1 
tmd(X1, X2) = lim —=0. 


no nN 


Equation (ii) is immediate by noting that, for all X1, Xo, TG(X1, Xo,n) = 
TG(X2, X1,2). 


As for (iii), the triangular property, consider any three models X1, X2, X3 and 
the three games playable on them, 


TG(X1, X2,n), TG(X2, X3,n), TG(X1, X3,n) (1) 


Two cases are possible. Either Spoiler does not have a winning strategy in all 
three games (1) for any amount of rounds, or he has a winning strategy in at 
least one of them. 

If Spoiler does not have a winning strategy in all the games (1) for any 
number of rounds n, then Duplicator has a winning strategy in all games (1). 
Therefore, the three models satisfy the same modal formulas, spw — oo, and 
tmd — 0. Trivially, the triangular property (iii) is satisfied. 

Suppose Spoiler has a winning strategy in one of the games (1). Via The- 
orem 3 (adequacy), one can shift the reasoning from games to formulas: there 
exists a modal formula 7 of multi-modal rank m such that X; ; y and X; / 77. 
Without loss of generality, one can think of 7 as being in normal form: 


y=V AV (ss) (2) 


This last step is granted by the fact that every formula vy of $4, has an equivalent 
one in normal form whose modal rank is equivalent or smaller to that of y.? 
Let y* be the formula with minimal multi-modal depth m* with the property: 
X; - y* and X; - —)*. Now, the other model X; either satisfies y* or its 


2 In the proof, the availability of the normal form is not strictly necessary, but it 
gives gives a better impression of the behavior of the language and it has important 
implementation consequences, [2]. 
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negation. Without loss of generality, X, — y* and therefore X; and X;, are 
distinguished by a formula of depth m*. Suppose X; and X; to be distinguished 
by a formula @ of multi-modal rank h < m*: X; — @ and X; - 7G. By 
the minimality of m*, one has that X; F (@, and hence, X; and X; can be 
distinguished at depth h. As this argument is symmetric, it shows that either 


— one model is at distance a from the other two models, which are at distance 
Tisai ot 


lt \= mx 
— one model is at distance ; from the other two models, which are at distance 
1_ (< #) one from the other. 


m* 


It is a simple matter of algebraic manipulation to check that m*,1 and h,m* (as 
in the two cases above), always satisfy the triangular inequality. 


The nature of the isosceles topo-distance triggers a question. Why, given three 
spatial models, the distance between two couples of them is always the same? 

First an example, consider a spoon, a chop-stick and a sculpture from Henry 
Moore. It is immediate to distinguish the Moore’s sculpture from the spoon 
and from the chop-stick. The distance between them is high and the same. On 
the other hand, the spoon and the chop-stick look much more similar, thus, 
their distance is much smaller. Mereotopologically, it may even be impossible to 
distinguish them, i.e., the distance may be null. 

In fact one is dealing with models of a qualitative spatial reasoning language 
of mereotopology. Given three models, via the isosceles topo-distance, one can 
easily distinguish the very different patterns. In some sense they are far apart 
as if they were belonging to different equivalence classes. Then, to distinguish 
the remaining two can only be harder, or equivalently, the distance can only be 
smaller. 


5 Concluding Remarks 


In this paper, a new perspective on mereotopology is taken, addressing issues of 
model equivalence and especially of model comparison. Defining a distance that 
encodes the mereotopological difference between spatial models has important 
theoretical and application implications. In addition, the use of model compari- 
son games is novel. Model comparison games have been used only to compare two 
given models, but the issue of setting a distance among a whole class of models 
has not been addressed. The technique employed in Theorem 4 for the language 
S4,, is more general, as it can be used for all Ehrenfeucht-Fraissé style model 
comparison games? adequate for modal and first-order languages equipped with 
negation. A question interesting per se, but out of the scope of the present pa- 
per, is: which is the class of games (over which languages) for which a notion of 
isosceles distance holds? (E.g. are pebble games suited too?) 

Another question open for further investigation is the computability of the 
topo-distance. First, there is a general issue on how to calculate the distance 


3 For an introduction to Ehrenfeucht-Fraissé games see, for instance, [11]. 
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for any topological space. One may be pessimistic at a first glance, since the 
definition and the proof of the Theorem 4 are not constructive, but actually 
the proof of the adequacy theorem for topo-games given in [2] is. Furthermore, 
decidability results for the logic $4, on the usual Kripke semantics (cf. [12]) 
should extend to the topological interpretation. Second, in usual applications 
the topological spaces at hand are much more structured and tractable. For 
example in a typical geographical information system, regions are represented 
as a finite number of open and/or closed polygons. With these structures, it is 
known that finiteness results apply (cf. [3]) and one should be able to compute 
the topo-distance by checking a finite number of points of the topological spaces. 
Currently, an image retrieval system based on spatial relationships where the 
indexing parameter is the topo-distance is being built, [1]. The aim is twofold, 
on the one hand one wants to build a system effectively computing the topo- 
distance, on the other one wants to check with the average user whether and 
how much the topo-distance is an intuitive and meaningful notion. 

Broadening the view, another important issue is that of increasing the ex- 
pressive power of the spatial language, then considering how and if the notion of 
isosceles distance extends. The most useful extensions are those capturing geo- 
metrical properties of regions, e.g. orientation, distance or shape. Again one can 
start by Tarski’s ideas, who fell for the fascinating topic of axiomatizing geome- 
try, [18], but can also follow different paths. For example, staying on the ground 
of modal logics, one can look at languages for incidence geometries. In this ap- 
proach, one distinguishes the sorts of elements that populate space and considers 
the incidence relation between elements of the different sorts (see [6,5,19]). 
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Abstract. In this paper we shall present a translation of the process 
semantics [5] to the event calculus. The aim is to realize a method of 
integrating high-level semantics with logical calculi to reason about con- 
tinuous change. The general translation rules and the soundness and 
completeness theorem of the event calculus with respect to the process 
semantics are main technical results of this paper. 


1 Introduction 


In the real world a vast variety of applications need logical reasoning about phys- 
ical properties in dynamic, continuous systems, e.g., specifying and describing 
physical systems with continuous actions and changes. 

The early research work on this aspect was encouraged to address the prob- 
lem of representing continuous change in a temporal reasoning formalism [1]. 
The standard approach is equidistant, discrete time points, namely to quantify 
the whole scenario into a finite number of points in time at which all system 
parameters are presented as variables. If there were infinitely many points at 
infinitely small distance, this might be sufficient. But, since discretization is al- 
ways finite, a problem arises when an action or event happens in between two 
of these points. 

Some work has been done to extend specific action calculi in order to deal 
with continuous change. The event calculus [7] is one formalism reasoning about 
time and change. It uses general rules to derive that a new property holds as 
the result of the event. In [9, 11, 12, 2], the attempts based on the logical for- 
malisms of the event calculus have been exploited for representing continuous 
change. However, these ideas have not yet been exploited to define a high level 
action semantics serving as basis for a formal justification of such calculi, their 
comparison, and an assessment of the range of their applicability [5]. 

Whereas these previously described formalisms have directly focused on cre- 
ating new or extending already existing specialized logical formalisms, the other 
research direction consists in the development of an appropriate semantics [4, 
10, 14] as the basis for a general theory of action and change, and successfully 
applied to concrete calculi [6, 3, 13]. In [4], the Action Description Language 
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was developed which is based on the concept of single-step actions, and does 
not include the notion of time. In [10], the duration of actions is not fixed, but 
an equidistant discretization of time is assumed and state transitions only occur 
when actions are executed. In [14], it is allowed for user-independent events to 
cause state transitions. Again equidistant discretization is assumed. But these 
formalisms are not suitable for calculi dealing with continuous change. 

In 1996, Herrmann and Thielscher [5] proposed a logic of processes for rea- 
soning about continuous change which allows for varying temporal distances 
between state transitions, and a more general notion of a process is proposed 
as the underlying concept for constructing state descriptions. In the process se- 
mantics, a state transition may cause existing processes to disappear and new 
processes to arise. State transitions are either triggered by the execution of ac- 
tions or by interactions between processes, which both are specified by transition 
laws. 

In this paper we shall present a translation of the process semantics to the 
event calculus. The aim is to realize a method of integrating high-level semantics 
with logical calculi to reason about continuous change. In the following, we first 
review the event calculus and the logic of processes, and then show how the 
process semantics can be represented in the event calculus. On this basis, we 
prove the soundness and completeness of the event calculus with respect to the 
process semantics. 


2 Event Calculus 


The event calculus [7] was developed as a theory for reasoning about time and 
events in a logic programming framework. In the event calculus, the ontological 
primitives are events, which initiate periods during which properties hold. A 
property which has been initiated continues to hold by default until some event 
occurs which terminates it. Time periods are identified by giving their start 
and end times which are named by terms of the form after(e,p) or before(e, p) 
where the first argument is the name of the event which starts or ends the time 
period and the second argument the name of the property itself. A general, 
one-argument predicate hold is used to express that a property p holds for a 
period. 

The occurrence of an event e at time t is denoted by Happens(e,t). The for- 
mula Initiates(e, p) (Terminates(e,p)) means that event e initiates (terminates) 
the property p. 

The reasoning can be formalized by employing a predicate HoldsAt(p,t) 
where p denotes a property and ¢ a time point: 


HoldsAt (p,t) — Holds (after (e,p)), time (e, to), 
In(t, after(e,p)), to <t. 


Holds (after (e, p)) — Happens (e,t), Initiates (e, p). 
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It means that a property p holds at the time ¢ if p holds for the period after 
an event e happens at time to, and there exists no such an event which happens 
between to and ¢ and terminates the property p. 

The further domain dependent axioms are needed to define the predicates 
Happens, Initiates and Terminates. 

For example, we express an assertion that the property of possess (Antje, 
Book) holds after the event E( Tom give the book to Antje) happens. In this case, 
the predicates Initiates and Terminates can be defined as: 


Initiates (e, possess (x, y)) — Act(e, Give), Recipient(e,x), Object (e, y). 


Terminates (e, possess (x, y)) — Act(e, Give), Donor(e,x), Object (e, y). 


where predicates Act represents the type of event (action), Recipient and Donor 
represent the recipient and the donor of this event (action), and Object the object 
acted be this event (action). 

Thereafter, the assertion HoldsAt (possess (Antje, Book), t) can be derived 
from the predicates defined above for the event description. 


3 Logic of Processes 


In this section, we introduce a formal, high-level semantics proposed by Her- 
rmann and Thielscher [5], for reasoning about continuous processes, their inter- 
action in the course of time, and their manipulation. 


Definition 1. A process scheme is a pair (C,F') where C is a finite, ordered set 
of symbols of sizel > 0 and F is a finite set functions f: IR'*? — R. 


Example 1. Let (C,F’) be a process scheme describing continuous movement 
of an object on a line as follows: C = {lo,v} and F = {f(lo,v,to,t) = 
lo + v-(t—to)}, where Jp denotes the initial location coordinate, v the velocity, 
to and t the initial and the actual time, and we denote | = f(lo,v, to, ¢) as the 
actual location of the object at time t. 


Definition 2. Let N be a set of symbols (called names). A process is a 4-tuple 
(n, T, to, p) where 


1. ne N; 

2.7 = (C,F) is a process scheme where C is of size m; 

3. to € IR; and 

4. p = (pi,---;Pm) € IR™ is an m-dimensional vector over IR. 
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Example 2. Let Tmove denote the example scheme from above then 


(TrainA, Tmove, 1:00pm, (Omi, 25mph)) 
(TrainB, Tmove, 1:30pm, (80mi, -20mph)) 


are two processes describing two trains moving toward each other with different 
speeds at different starting times. 


Definition 3. A situation is a pair (S,t;) where S is a set of processes and t, 
is a time-point which denotes the time when S started. 


Definition 4. An event is a triple (P,,t, P2) where P, (the precondition) and 
P» (the effect) are finite sets of processes and t € IR is the time at which the 
event is expected to occur. 


Definition 5. An event (P,,t, P2) is potentially applicable in a situation (S,t;) 
iff Pi C S andt > ts. If € is a set of events then an event (P,,t, P2) © € 
is applicable to (S,t,) iff it is potentially applicable and for each potentially 
applicable (P{,t', PS) € e we havet <t’. 


Example 3. Let S denote the two processes of Example 2. Further, let t, = 
3:00pm, then the following event, which describes an inelastic collision which is 
interpreted as a coupling of trains, is applicable to (S, t,): 


(Pi = {(TrainA, Tmove, 1:00pm, (Omi, 25mph)), 
( TrainB, Tmove, 1:30pm, (80mi,-20mph)) } 


t = 8:00pm 


Py = {(TrainA, tmove, 3:00pm, (50mi, 5mph)), 
( TrainB, Tmove , 3:00pm, (50mi, Smph)) }) 


In fact, concrete events are instances of general transition laws which contain 
variables and constraints to guide the process of instantiation, and the event’s 
time is usually determined by the instances of other variables. We can describe 
the transition law for inelastic collisions of two continuously moving objects as 
follows. 


(Pi = {(Na,tmove, Tao, (X ao, Va)), 
(NB, Tmove, TBo, (X Bo, Vz))} 
t=T (T1) 
Py = {(Na,tmove,T,(Xnew, Va + Vz)), 
(Np, tmove, T, (Xnew, Va + VB))}) 
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where it is required that N4 4 Ng, Va —Vg 40, and 74 = xB = Xnew at time 
T. x, and xg represent the actual location of TrainA and TrainB respectively 
when the collision occurs. Suppose that the two movement differentials are x4 = 
X4o+Va-(T — Tao) and xg = Xp0 + Ve- (T — Tego); then the result is: 


T= an Xnew = Xao+ Va-(T — Tao) (T2) 


Definition 6. Let e be a set of events and (S,t,) a situation, then the successor 
situation B((S,t,)) is defined as follows. 


1. If no applicable event exists ine then ®((S,ts)) = (S,co); 

2. if (Pi,t, Po) € € is the only applicable event then ®((S,ts)) = (S',ts) where 
S’ = (S'\ Pi) UP» and tg = t; 

3. Otherwise B((S,ts)) is undefined, t.e., events here are not allowed to occur 
simultaneously. 


Definition 7. An observation is an expression of the form [t] «x (n) =r where 


1. t € R is the time of the observation; 

2. x is either a symbol in C or the name of a function in F for some process 
scheme (C, F); 

&. n is a symbol denoting a process name; and 

4. r € RR is the observed value. 


Given an initial situation and a set of events, such an observation is true iff 
the following holds. Let S$ be the collection of processes describing the system 
at time t, then $ contains a process (n,(C, F’),to,(T1,---,Tn;,to)) such that 


1. either C = (co,..-,Ck—-1,%,Ck41;+--;Cm—1) and rg = 17; 
2. or x€ F and « (ri,...,7n,to,t) = 1. 


Example 4. The observation [2:15pm]l(TrainB) = 65mi is true in Example 3, 
while the observation [3:15pm]/( TrainB) = 45m is not true since the latter does 
not take into account the train collision. 


Definition 8. A model for a set of observations W (under given sets of names 
N and events E ) is a system development (Sp, to), ®((So, to)), ®7((So, to)), --- 
which satisfies all elements of Y. Such a set VW entails an (additional) observation 
w iff w is true in all models of V. 


All definitions concerning successor situations, developments, and observa- 
tions carry over to the case where a set of actions, which are to be executed 
(external events), and interactions between processes (internal events) are given. 
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4 ‘Translation of the Process Semantics to the Event 
Calculus 


In order to represent the process semantics in the event calculus, we here adopt 
the formalisms of the event calculus of Kowalski [7] and a variant presented by 
Shanahan [12]. 

Let D = (P,Eproc) be a domain description in the process semantics. D 
consists of a set of processes P and a sequence of events Eproc. The correspond- 
ing formalism of the event calculus uses variables of two sorts: event variables 
€1,€2, ..., time variables t,,t2, ..., and a process is represented as a relation 
P(n, R,C) where n denotes the process name, and R and C the sets of dynamic 
and static parameters respectively defined in the process semantics. The rela- 
tion Q(n, F, R, C) expresses the property of the process, which holds true during 
the period of continuous change. F denotes a finite set of functions describing 
the relationship between the dynamic and static parameters. In fact, the con- 
tent of the process scheme in the process semantics is specified by the function 
Q(n, F,R,C). There are also some predicate symbols whose meaning will be 
clear from their use in the rules below. 

Processes and events defined in the process semantics can be formalized as 
the following general rules by the event calculus. 


HoldsAt(P(n, R,C),t) — 


Holds (after (e, Q(n, F,R,C))), time i to), 


In(t, after (e, Q(n,F,R,C))), to (G1) 

State (t, s), HoldsIn(P(n ,R,C), nh 

ContinuousProperty (Q(n, F, R,C), to, P(n, R,C),t). 
aHoldsAt(P(n, R,C),t) — State(t, s), +HoldsIn(P(n, R,C),s). (G2) 


Holds (after (e, Q(n, F, R,C))) — 


Event Trigger (e,t), Initiates(e, Q(n, F, R,C)). (G3) 
Event Trigger (e,t) — Happens (e,t). (G4) 
Event Trigger (e, t) — ImplicitHappens (e, t). (G5) 
In(t,p) — Start (p, €1), End(p, e2), Time(ei,t1), (G6) 

Time (eo, t2),t1 <t < te. 
ContinuousProperty (Q(n, F, R,C), to, P(n, R, C),t) — (G7) 


R= F(C,t,to). 


In (G1) the predicate ContinuousProperty in the event calculus treats con- 
tinuous change in correspondence with the process semantics. It means that 
property P(n,R,C) holds during the period of continuous change Q(n, F, R, 
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C) which starts at time to and varies with time t. The rule (G7) specifies the 
premise condition required for the predicate ContinuousProperty to hold. 

In addition, there are two cases for the occurrence of an event: an event is 
triggered by an external action and initial condition, or implicitly by the tran- 
sition between processes (defined in the process semantics). In (G4) and (G5), 
the trigger of an event is formalized by the predicates EventTrigger, Happens, 
ImplicitHappens. In (G6), it is represented by the predicate In(t,p) that t is a 
time point in the time period p. 

An event in the process semantics is defined as a triple (P,t, P’). P and 
P’ are finite sets of processes. The event is expected to occur at time t. The 
result of occurrence of the event is that each process in P is transformed into 
the corresponding new process in P’. It is assumed that the set P (resp. P’) 
includes k processes P = (pi,...,px) (resp. P’ = (p/,...,p/,)). The transition of 
processes from P into P’ happens by the event implicitly. For that we can define 
the event of the process semantics in the event calculus as follows. 


Implicit Happens (e, t) — 
Start (after (e, Q(ni, Fi, Ri,Ci)), e), 


Bnd (after (e’, Q(ni, Fi, Ri, C))),), e <e, (G8) 
ConstraintRelation (Ri, Ri,..., Rx, Ry, t). 
ConstraintRelation (Ri, R),..., Rr, Rit) — (G9) 


g(Fi(C1,t), FU(C},t),..., Fa(Cr, t), Fi(Ch, t)) = Constant. 


Here the predicate ConstraintRelation is conditioned by a constraint equa- 
tion. The dynamic and static parameters (Ri,..., Rx), (Ci,..., Cx) of the pro- 
cesses in the sets P and (Rj,..., Ri), (Cj,...,C,) in the sets P’ meet the 
equation at a specific time ¢t. With this equation we can calculate the value of 
the time at which the event occurs. 

To avoid the concurrent events which can not be represented in the process 
semantics, we give the following rule. 


e =e’ — Happens (e,t), Happens (e’,t), 


after (e, Q(n, F, R,C)) = after (e’, Q(n, F, R,C)) (G10) 


In order to formalize properties of processes and continuous change in the 
event calculus, we furthermore introduce the following basic axioms (ES1) — 
(ES6) partly based on the Shanahan’s work [12]. In the Shanahan’s variant 
version of event calculus, a many-sorted language of the first-order predicate 
calculus with equality is used, including variables for time points (t, t1, ta, ...), 
properties (p, pi, P2, qd; G1; G2, ---), States (s, $1, S2, ...), truth values (v, v1, 
vg, ...), and truth elements (f, fi, fo, ...). The domain of truth values has 
two members, denoted by the constants True and False. A pair (p,v) is a truth 
element. A state is represented as a set of truth elements. 


85 = 52 (Vf) [f E51 oO f € 89]. (ES1) 
(Vs1, f1)(SseV fo) [fo € s2 © [fo € 31 V fo = fill. (ES2) 
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(As)(Vf) [-f € s]. (ES3) 
HoldsIn(p, 8) — [(p, True) € s \ aAbstate (s)]. (ES4) 
—HoldsIn (p, s) — [(p, False) € s \ aAbstate (s)]. (ES5) 


State (t,s) 
(Ve, p) [[(p, True) € s © (Initiates (e, p) \ Happens (e,t))] A (ES6) 
[(p, False) € s — (Terminates (e, p) \ Happens (e, t))]]. 


In the rest of this paper, the set of axioms (ES1) — (ES6) and rules (G1) — 
(G10) will simply be denoted by ES and G. 


5 An Example 


Consider two trains TrainA and TrainB starting at different times and moving 
towards each other with different speed. At the time t, a collision happens after 
which they continue to move as a couple with a common speed together. 

In the process semantics we may describe this scenario by the definition of 
processes as follows: 


(TrainA, Tmove » Tao; (Xo, Va)) 
( TrainB, Tmove, T Bo; (X Bo, VB)) 


where T'49 and Tgp denote the start times of the trains TrainA, TrainB, X49, VA 
and Xo, Vg initial locations and velocities, respectively. Tmove is a symbol 
which denotes the process scheme describing the continuous movement of the 
trains TrainA and TrainB. 

In Section 4 we have defined two relations P(n, R,C) and Q(n, F,R,C) to 
represent the processes in the event calculus. For instance, we instantiate these as 
the relations moving(N, xn, (ly, un, tn~)) and engine(N, F, xn, (ln, un, tn)) 
to formalize the two processes above in the event calculus. Here N represents 
a variable of process name N € (TrainA and TrainB). The static parameters 
ln, un, tw € C correspond to the initial location, the velocity and the starting 
time of the train N. The dynamic parameter xy € R corresponds to the actual 
location of the train N, which varies with time. F corresponds to the process 
scheme Tmove of the continuous movement of the trains TrainA and TrainB. 

The description of the two processes can be translated into rules in the event 
calculus: 


HoldsAt (moving ( TrainA, wa, (la, va,ta)),t) — 
Holds (after (e, engine ( TrainA, F, xa, (la, va,ta)))), time (e, to), 
In(t, after (e, engine (TrainA, F, xa, (la, va,ta)))), to < t, 
State(t,s), HoldsIn (moving ( TrainA, xa, (la, va,ta)),§), 
ContinuousProperty (engine (TrainA, F, xa, (la,va,ta)), 
to, moving ( TrainA, «4, (la,va,ta)),t). 


(SI) 
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HoldsAt (moving ( TrainB, xp, (lp, vB,te)),t) — 
Holds (after (e, engine ( TrainB, F, xp, (le, vp,tp)))), time (e, to), 
In(t, after (e, engine ( TrainB, F, xp, (lp,vup,te)))),to < t, 


State(t,s), HoldsIn (moving ( TrainB, xp, (lp,vp,ts)), $), 2) 
ContinuousProperty (engine ( TrainB, F, xp, (lp,ve,te)), 
to, moving ( TrainB, xg, (lp, vp,te)),t). 
ContinuousProperty (engine (N, F, x, (1, v, to)), (83) 


to, moving (N, x, (I, v,to)),t) —« =l+v- (t— to). 


By using moving and engine as the general properties we describe a process 
in which a train N moves continuously. ¢ and x denote the actual time and 
location of the train which satisfies the equation x = 1+4 v- (t — to). | and to 
denote the initial location and time of the occurrence of event e which initiates 
the property engine (engine of train is on) so that the process happens in which 
the train starts to move continuously from the initial location | with velocity vu 
till a new event terminates this process. 

In the process semantics, an event is represented as a triple (P,t, P’) whereby 
each concrete event is viewed as an instance of the general translation laws. The 
occurrence of an event at time ¢ terminates the former processes P and results 
in new processes P’ to occur. We can describe the transition law for inelastic 
collisions of two continuously moving objects by (T1) and (T2). 

The event for an inelastic collision which is interpreted as a couple of trains 
can be formalized in the event calculus as the following rules. 


Implicit Happens (e, t) — 
Start (after (e, engine ( TrainA, F, x, (InewA; UnewA; t)), €), 
End (after (e’, engine (TrainA, F, xa, (lota A; VoldA; toidA)); €); 
Start (after (e, engine ( TrainB, F, xp, (InewB; VnewB;t)), €), (S4) 
End (after (e”, engine ( TrainB, F, xp, (loiaB, VoldB; toldB)); €); 
e’ <e,e” < e, ConstraintRelation (InewA; UnewA; lnewB; UnewBs 
loid As VoldA, loldB, VoldB; told A, tolaB; t). 


ConstraintRelation (liveijAay UnewA; InewB; UnewB; loldA; VoldA; 
loldB; VoldB, told A, tolaB, t) — 
lotaA + VotaA + (t — toda) = lotaB + VoiaB + (t — toaB), (S5) 
InewA = InewB = loidA + VoldA * (t = toidA); 
UnewA = UnewB = VoldA + VoldB- 


We suppose that TrainA (initial location is Omi) starts to move at time 
1:00 pm with the velocity 25mph, while TrainB at time 1:30 pm with the velocity 
-20mph. We describe two events MoveA and MoveB and have the domain- 
dependent formulae as follows. 
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Happens (MoveA, 1:00pm). (H1) 
Happens (MoveB, 1:30pm). (H2) 


In the following, we show that it holds that a collision occurs between Train.A 
and TrainB at 3:00pm and then they move as a couple with a common speed 
together. Here we use circumscription [8] to minimise the extensions of certain 
predicates. 

Let x be the conjunction of the axioms E'S, G, S and H without ES6 and 
G1. CIRC -<[x] is defined as the conjunction of 


CIRC |y; Happens, Initiates, Terminates; State, HoldsAt] 
with 
CIRC |y; AbState; Happens, Initiates, Terminates, State, HoldsAt}. 


We take the first conjunct of CIRC..[x]. Since all occurrence of Happens, 
Initiates, Terminates in x are positive, 


CIRC|x; Happens, Initiates, Terminates] 
is equivalent to 
CIRC |x; Happens] \ CIRC|y; Initiates] \ CIRC|x; Terminates] 


(See Theorem 3 in the next section). It can be seen that the Happens, Initiates, 
Terminates are true in all of its models, and we have 


Happens (e,t) (1) 
[e = MoveA At = 1:00pm] V [e = MoveB At = 1:30pm] 


Initiates (e,p) 
[e = Moved A p = engine (TrainA, F,x4,(Omi, 25mph))| V (2) 
[e = MoveB A p = engine ( TrainB, F, xp, (80mi, -20mph))] 


Since there are no occurrences of State, HoldsAt in x, (1) and (2) are also 
true in all models of CIRC .<[x]. 

We take the second conjunct of CIRC -[]. The only abnormal combinations 
of true elements are those which include both (p, False) and (p, True) for some 
p. So, in all models of 


CIRC|y; AbState; Happens, Initiates, Terminates] 


we have 


Abstate(s) < (Ap) [(p, False) € s A (p, True) € s] (3) 
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Since there are no occurrences of State, HoldsAt in x, we allow these predi- 
cates to vary does not affect the outcome of circumscription. So, (3) is also true 
in all models of CIRC ¢<[x]. Since (G1) and (ES6) are chronological, we can show 
that (1), (2) and (3) are also true in all models of CIRC .-[ES AGA S A H](See 
Theorem 2 in the next section). 

The combination of (3) with axioms E'S, G, S and H ensures that every 
model includes a state in which properties engine and moving hold. 

By the rules (S1) — (S5), we can deduce that an implicit event denoted as e;¢ 
occurs at time 3:00pm, since the condition of the constraint equation in (S4)— 
(S5) is satisfied. It is easy to show from (1), (2), (3) and (S4) — (S5) that in all 
models under circumscription we have 


— 
| 


ds) [State (30, s) A HoldsIn (moving (TrainA,x,,(50mi, 5mph, 3:00pm)), s) 
AHoldsIn (moving ( TrainB, xp, (50mi, 5mph, 3:00pm)), s)] 


Therefore, 


HoldsAt (moving ( TrainA, x4, (50mi, 5mph, 3:00pm)),t). 
HoldsAt (moving ( TrainB, xp, (50mi, 5mph, 3:00pm)),t). 


where t > 3:00pm. 


6 Soundness and Completeness Theorem 


Definition 9. A marker set is a subset S of R such that, for all T, in R, the 
set of Tz in S such that Tz < T; is finite. 


Definition 10. A formula w is chronological in argument k with respect to a 
formula x and a marker set S if 

(a) it has the form Vx q(x) <— (x), where q is a predicate whose kth argument 
is a time point and ¢(«) is a formula in which « is free, and 

(b) all occurrences of q in (a) are in conjunctions of the form q(z) A zE < 
xp AO, where x Nw — 76 if z, ¢ S. 


Theorem 1. Consider only models in which the time points are interpreted as 
reals, and in which < is interpreted accordingly. Let P* and Q* be sets of pred- 
icates such that Q* includes q. Let wW = Vu q(x) © $(x) be a formula which 
is chronological in some argument with respect to a formula x which does not 
mention the predicate q, and a marker set S. Then 


CIRC[x A; P*; Q*| - CIRC|x; P*; Q*). 


In order to minimize domains and histories, two other properties of circum- 
scription will be useful. 
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Theorem 2. Let X be any formula and 6(x) be any formula in which x is free. 
CIRC|A AVa p(x) — 6(x); p] is equivalent to XA Va p(x) @ d(x) of A and 6(x) 


are formulae containing no occurrences of the predicate p. 


Theorem 3. Let X be any formula and 6(x) be any formula in which x is free. 
If all occurrences of the predicates p,,p2,.-..,Pn ina formula A are positive, then 
CIRC|A; P*], where P* = pi, p2,---,Pn, 18 equivalent to 


CIRCA; pi] A CIRC]; po] A... A CIRCA; pr]. 


Here Theorem 1, 2 and 3 are reproduced without proof, but proofs can be 
found in Shanahan’s [12] and Lifschitz’s papers [8], respectively. 

Let D = (P,€) be consistent domain description for process semantics, 
where P is a set of initial processes and € is a set of events. We write P = 
(p1,P2,--+;Pm) and E€ = (e1, €2,...,€n). 

Let OBS(P,a,ts,) denote an observation of the process with name n at time 
ts, where a is a symbol in C or F for some process scheme (C, F’) and a = r 
(where r is an observed value). In the event calculus we describe an observation 
in the following form: HoldsAt(P(n, R,C),ts) \@ = r, where a is a variable 
name in R or C. 


Lemma 1. Let 7 denote the defined translation from the process semantics into 
the event calculus and D be a consistent domain description for process seman- 
tics, for any process P if CIRC .-|[nP\ ES AG] — HoldsAt(P(n, R,C),ts)A@ € 
(RUC)Aa=r, then D entails OBS(P,a,ts) \a=r. 


Proof. Let denote the conjunction of 7P, ES and G. Suppose that for any 
process P from D, CIRC.-{A] — HoldsAt(P(n, R,C),t,) Aa € (RUC)Aa=r. 
Then there must exist a state s and it follows that 


— 


ds) (State (t,s) A HoldsIn(P(n, R,C),s)). 


Since all occurrences of Happens, ImplicitHappens, Initiates and Terminates 
in \ are positive, from Theorem 3, we have 


CIRC .-[A; Happens, ImplicitHappens, Initiates, Terminates] 
is equivalent to 
CIRCA; Happens] A CIRC|A; ImplicitHappens| \ CIRC|); Initiates] A 


CIRC|A; Terminates]. 


Applying Theorem 2 to each conjunct in this formula, it can be seen that Hap- 
pens, ImplicitHappens, Initiates and Terminates are true in all models under 
circumscription. 

Case 1: If HoldsAt(P(n,R,C),ts) A a € (RUC) A a =r is true, and 
de’) time(e’) < t, A terminates(e’, after(Q(n, F, R,C), e)) is not true, it is clear 


wi 
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that in the process semantics any model of D is also the model of the observation 
OBS(P,a,ts), i.e., D entails OBS(P,a,ts) Na =r. 

Case 2: Assume that there exist a set of events € and for any event e € €, 
time(e) < ts. Since CIRC .<[A] E HoldsAt(P(n, R,C),ts)\a =r, with the rules 
(G1)-(G10) we can deduce that the event e is applicable and occurs at a certain 
time time(e). By applying rules (G8) and (G9) we can further deduce a set of 
processes which are initiated by the event e and meet the rule (G1) such that 
for one of these processes P(n, R,C), we have HoldsAt(P(n,R,C),t;) \a=r 
holds. It follows that the process P(n, R,C), initiated by the event e, with the 
observed value r is true in all the models of CIRC.<[A]. By the Definition 3.8, 
under given events and processes, the observed value a = r is true in all the 
system developments for the observation OBS(P,a,t,). Thus, we have that D 
entails the observation OBS(P,a,ts) \a=r. 


Theorem 4. [Soundness Theorem] Let D be a consistent domain description 
for process semantics and a denote the translation from the process semantics 
into the event calculus, for any process P if tD entails 7P, then D entails P. 


Proof. By Lemma 1, an observation OBS(P,a,t,) \a@ = r is entailed by D, 
if CIRC|tP \ ES A G] — zOBS. Suppose wD entails +P. Since the observa- 
tion is made during a development of the system being modeled and involved in 
some concrete process at time t,, this observed process holds under the devel- 
opment of the system (given the set of initial processes and the set of events), 
if HoldsAt(P(n, R,C),t;) is true in all the models of CIRC[nP A ES A Gl}. It 
follows that D entails P. 


Theorem 5. [Completeness Theorem] Let D be a consistent domain de- 
scription for process semantics and a denote the translation from the process 
semantics into the event calculus, for any process P if D entails P, then rD 
entails 7P. 


Proof. Assume that D entails P; then since D is consistent, every system de- 
velopment of the process P satisfies a set of observations for P under D. Let 
OBS(P,a,ts) represent an observation for the process P at time tgs with which 
the observed value is real and we denote it as a= r. 

For any process P from D, let x be the conjunction of 7P, E'S and G without 
ES6 and G1. 

CIRC .-[x] is defined as the conjunction of 


CIRC |y; Happens, Initiates, Terminates; State, HoldsAt] 
with 
CIRC |y; AbState; Happens, Initiates, Terminates, State, HoldsAt}. 


We take the first conjunct. Since all occurrences of Happens, ImplicitHappens, 
Initiates, and Terminates in x are positive, 


CIRC |y; Happens, ImplicitHappens, Initiates, Terminates] 
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is equivalent to 
CIRC |y; Happens] \ CIRC|x; ImplicitHappens| \ CIRC |x; Initiates] A 


CIRC|x; Terminates]. 


Since there are no occurrences of State, HoldsAt in y, from Theorem 3, ap- 
plying Theorem 2 to each conjunct in this formula, it can be seen that Happens, 
ImplicitHappens, Initiates, Terminates and Holds are true in all of its models 
under circumscription. 

We take the second conjunct of CIRC ..[x]. The only abnormal combinations 
of true elements are those which include both (P, False) and (P, True) for P. So, 
in all models of 


CIRC |y; AbState; Happens, Initiates, Terminates] 


we have 


Abstate(s) < (AP) [(P, False) € s A (P, True) € s] 


Since there are no occurrences of State, HoldsAt in x, we allow these pred- 
icates to vary, which does not affect the outcome of circumscription. So, the 
formula above is also true in all models of CIRC .[x]. 

Since (G1) and (ES6) are chronological, by applying Theorem 1, CIRC[y A 
G1 A ES6)| — CIRC{y]. 

The combination of axioms (E'S) with the general rules (G) ensures that for 
the process P from D, in all models under circumscription we have 


— 


ds) (State (t,s) A HoldsIn(P(n, R,C),s)). 


It follows that HoldsAt(P(n, R,C),t) is true in all of models of CIRC|x A G1A 
ES6]. 

For every system development of the process P under D, we have the obser- 
vation OBS(P, a, ts) with which the observed value a = r ( r is a real) at the 
time t,. Thus, for a € (RUC) and a =r in D, we have CIRC..[y \G1A ES6] — 
HoldsAt(P(n, R,C),ts) \a€ (RUC) Aa=r. It follows that 7D entails 7P. 


7 Concluding Remarks 


In this paper we have provided a method to represent the process semantics 
in the event calculus. For specifying the properties of continuous change, the 
concept of process, event and state transition law of the process semantics are 
formalized in the event calculus, based on the described general translation rules. 
We further have proved the soundness and completeness of the event calculus 
with respect to the process semantics. 

Only a handful of other authors have given attention to the problem of us- 
ing logic to represent continuous change. Based on the event calculus, some 
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techniques were presented for representing continuous change to complement 
its existing capability for discrete change. For example, Shanahan [11, 12] out- 
lined a framework for representing continuous change based on the ontology of 
events. Belleghem, Denecker and de Schreye [2] presented an abductive version 
of event calculus for this purpose. All of these approaches can be embedded in 
logic programming but are not yet defined in a high-level description semantics 
for processes and continuous change, which is in contrast to our method. 
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Abstract. Janhunen et al. [14] have proposed a translation technique 
for normal logic programs in order to capture the alternating fix-points 
of a program with the stable models of the translation. The same tech- 
nique is also applicable in the disjunctive case so that partial stable 
models can be captured. In this paper, the aim is to capture Przymusin- 
ska and Przymusinski’s stationary extensions with Reiter’s extensions 
using the same translational idea. The resulting translation function is 
polynomial, but only weakly modular and not perfectly faithful. For- 
tunately, another technique leads to a polynomial, faithful and modular 
(PFM) translation function. As a result, stationary default logic (STDL) 
is ranked in the expressive power hierarchy (EPH) of non-monotonic log- 
ics [13]. Moreover, reasoning with stationary extensions as well as brave 
reasoning with regular extensions (i.e., maximal stationary extensions) 
can be implemented using an inference engine for reasoning with Reiter’s 
extensions. 


1 Introduction 


Quite recently, Janhunen et al. [14] have proposed a translation for normal logic 
programs. Using this translation the alternating fix-points of a program P [23] 
can be captured with the stable models [5] of the translation Trarp(P). This is 
interesting, since the alternating fix-points of P include the well-founded model 
of P [25], the stable models of P [5] as well as the regular models of P [26]. 
Formally speaking, an alternating fix-point M of P satisfies (i) M = I'2(M) 
and (ii) M C I’p(M) where Ip is the famous Gelfond-Lifschitz operator [5] and 
I? corresponds to applying Ip twice. Such a fix-point M can be understood as 
follows: M and M’ = I'’p(M) specify true and possibly true atoms, respectively. 
Thus M induces a partial (or three-valued) model of P in which an atom a can be 
true (a € M), undefined (a €¢ M' — M) or false (a ¢ M’). Note that M becomes 
a (total) stable model of P if M = M’. These observations justify the view 
that the translation function Trapp lets us to unfold partiality under the stable 
model semantics [14]. A similar setting arises in conjunction with disjunctive 
logic programs: partial stable models [20] can be captured with total ones [6]. 
Since normal and disjunctive logic programs can be seen as special cases of 
Reiter’s default theories [22] one could expect the same translational idea can 
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be applied to Reiter’s default logic (DL). In this context, Przymusinska and 
Przymusinski have proposed a partial semantics for default logic [19]: stationary 
extensions of default theories are analogous to alternating fix-points of normal 
logic programs (an equivalent notion is used by Dix [4]). One of the main goals of 
this paper is to analyze the possibilities of generalizing the translation Trarp(P) 
for default theories under stationary extensions. Moreover, the author [13] has 
used polynomial, faithful, and modular (PFM) translation functions in order to 
classify non-monotonic logics by their expressive powers. As a result of this 
analysis, the expressive power hierarchy of non-monotonic logics (EPH) was 
obtained. Further refinements to EPH are given in [12]. From the perspective of 
EPH, it would be important to find out the exact position of stationary default 
logic (STDL) in EPH. A crucial step in this respect is that we succeed to embed 
STDL to conventional DL using a PFM translation function. 

The rest of the paper is organized as follows. Basic notions of DL and STDL 
are reviewed in Sections 2 and 3, respectively. Then the classification method 
based on polynomial, faithful and modular (PFM) translation functions is intro- 
duced in Section 4. These properties of translation functions play an important 
role in the subsequent analysis. Starting from the translation function proposed 
for normal and disjunctive logic programs by Janhunen et al. [14], a prelimi- 
nary translation function Trgy; for default theories is worked out in Section 5. 
Unfortunately, this translation function turns out to be unsatisfactory: it is not 
perfectly faithful and it is only weakly modular. These problems are addressed in 
Section 6 where another translational technique is applied successfully: a PFM 
translation function Trgy2 is obtained. In addition, comparisons with other log- 
ics in EPH are made in order to classify STDL properly in EPH. Brave reasoning 
with regular extensions turns also to be manageable via Trsr2. Finally, the con- 
clusions of the paper are presented in Section 7. Future work is also sketched. 


2 Default Logic 


In this section, we review the basic definitions of Reiter’s default logic [22] in the 
propositional case. The reader is assumed to be familiar with classical proposi- 
tional logic (CL). We write £(.A) to declare a propositional language £ based on 
propositional connectives (=, A, V, >, <) and constants (truth T and falsity 
) and a set of propositional atoms A. On the semantical side, propositional 
interpretations I C A and models M C A are defined in the standard way. The 
same applies to conditions when a sentence ¢ € CL is valid (denoted by | ¢) and 
a propositional consequence of a theory T C L£ (denoted by T — ¢). The theory 
Cn(T) = {6 € L|T E ¢} is the closure of a theory T C £ under propositional 
consequence. A sentence ¢ € L is consistent with a theory T C L£ (denoted by 
T *«@) whenever TU{¢} is propositionally consistent, i.e. TU{¢} has at least one 
model. Note that T'« 6 = T JK 7¢ holds in general. Moreover, T * T expresses 
that a theory T C CL is propositionally consistent, i.e. T A L. 

In Reiter’s default logic [22], basic syntactic elements are default rules (or 
simply defaults) which are expressions of the form TP eube where a, (1,..-,8n, 
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and y are sentences of £. The intuition behind such a rule is that if the pre- 
requisite @ has been inferred and each of the justifications 3; is (separately) 
consistent with our beliefs, then the consequent y can be inferred. A default the- 
ory in a propositional language £(A) is a pair (D,T) where D is a set of defaults 
in £ and T C Lis a propositional theory. For a set of defaults D, we let Cseq(D) 
denote the set of consequents {7 | BB Po € D} that appear in D. 

The semantics of a default theory (D,T) is determined by its extensions, 
i.e. sets of conclusions that are propositionally closed theories associated with 
(D,T). Rather than presenting Reiter’s definition of extensions [22] we resort to 
one by Marek and Truszczyriski [16]. The justifications of a set of defaults are 
interpreted as follows. For any E C £, the reduct Dg contains an (ordinary) 
inference rule = whenever there is a default othe € D such that E « 6; 
for all i € {1,...,n}. Given T C £ and a set of inference rules R in L, we let 
Cn" (T) denote the closure of T under R and propositional consequence. More 
precisely, the closure Cn” (T) is the least theory T’ C L satisfying (i) T C T’, 
(ii) for every rule $ € R, a € T” implies y € T’, and (iii) Cn(Z") C 7”. The 
closure Cn”(T) can be characterized using a proof system [11,16]. A sentence @ 
is R-provable from T if there is a sequence a wi = of rules from R such that 
TU{m,---;¥-1} - oy for all i € {1,...,n} and TU{m1,...,%} EF o. Then 
¢ € Lis R-provable from T & ¢ € Cn®(T). The definition of extensions follows. 


Definition 1 (Marek and Truszczynski [16]). A theory E C L is an exten- 
sion of a default theory (D,T) in L if and only if E = Cn? #(T). 


By default logic (DL) we mean default theories under Reiter’s extensions. It is 
not necessary that a default theory (D,T) has a unique extension nor extensions 
at all. Typically two approaches are used. In the brave approach, it is sufficient to 
find one extension FE containing the query ¢ € L£. In the cautious approach, the 
query ¢ € £ should belong to every extension, i.e. the intersection of extensions. 


3 Stationary Default Logic 


As already stated, the existence of Reiter’s extensions is not guaranteed in gen- 
eral. Motivated by the well-founded semantics [24] and alternating fix-points [23] 
of normal logic programs, Przymusinska and Przymusinski [19] propose a weaker 
notion of extensions as a solution to the problem. Dix [4] considers an equivalent 
semantics in order to establish a cumulative variant of DL. 


Definition 2 (Przymusinska and Przymusinski [19]). A theory E C L is a 
stationary extension of a default theory (D,T) in L if and only if E = Cn?’ (T) 
holds for the theory BE’ = Cn?®(T) and EC E’. 


The intuition is that the theory EF provides the set of actual conclusions asso- 
ciated with (D,T) while E” can be understood as the set of potential conclusions 
(cf. the alternating fix-points of normal logic programs described in the intro- 
duction). This explains why the requirement E C E’ is reasonable, i.e. actual 
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conclusions must also be potential conclusions. Note that if (in addition) E’ C E 
holds, then E = E’ is a Reiter-style extension of (D,T). By stationary default 
logic (STDL) we mean default theories under stationary extensions. 

Every default theory (D,T) is guaranteed to have at least one stationary 
extension F’ known as the least stationary extension of (D,T). It serves as an 
approximation of any other stationary extension F' of (D,T) in the sense that 
E C F. This applies equally to any Reiter-style extension EF of (D,T) which is 
also a stationary extension of (D,T). Complexity results on DL [7] and STDL 
[8] support the approximative view: cautious reasoning with Reiter’s extensions 
(a II§-complete decision problem) is strictly more complex than cautious reason- 
ing with stationary extensions (a A}5-complete decision problem). The least sta- 
tionary extension of a finite default theory (D,T) can be iteratively constructed 
[4,19]. Initially, let Zy = 0 and E’, = Cn?°(T). Then compute E; = Cn’ ”!-1(T) 
and Ef = Cn?*i(T) for i= 1,2,... until E; = E,_, holds. For instance, the set of 
defaults D = {2, tapea, toes 4} and the theory T = {b — p,c > p} 
(adopted from [11, Example 10.18]) give rise to the following iteration sequence: 
Eo = 9, FE, = Cn({bVc,p,s}), Ho = Cn({bVc,p,s,r}) and Es = Ey. Conse- 
quently, the theory E> is the least stationary extension of (D,T). In fact, EF is 
the unique (Reiter-style) extension of (D,T), as Ey = E%. 

There are two ways to distinguish propositionally consistent stationary ex- 
tensions of a default theory (D,T). The first one is simply to require that F is 
propositionally consistent. The other demands that the set of potential conclu- 
sions E’ = Cn? (T) is propositionally consistent, too. In the latter case, we say 
that E is strongly propositionally consistent. Let us highlight the difference of 
these notions of consistency by a set of defaults D = { +2, 2, 4} in L({a, b}). 
Now (D,@) has three stationary extensions: E, = Cn({b}), H2 = Cn({a, b}), 
and E3 = Cn({-a,b}). The respective sets of potential conclusions are E} = CL, 
Es = E2, and E5 = E3. Thus EF; is (only) propositionally consistent while E2 
and Es are strongly propositionally consistent. 


4 PFM Translations Functions and EPH 


In this section, we recall the classification method [12,13] which has been de- 
signed for comparing the expressive powers of non-monotonic logics. In the se- 
quel, we assume that non-monotonic logics under consideration use a proposi- 
tional language £ as a sublanguage. Therefore, we let (X,T) stand for a non- 
monotonic theory in general. Here T C CL is a propositional theory and X is a set 
of parameters specific to the non-monotonic logic L in question. For instance, 
the set of parameters X is a set of defaults in default logic. We let ||(X,T)|| 
stand for the the length of (X,T) in symbols. 

Generally speaking, a translation function Tr : L; — L2 transforms a theory 
(X,T) of one non-monotonic logic L; into a theory of another non-monotonic 
logic Lz. Both logics are assumed to have a notion of extensions available. Our 
requirements for Tr are the following. A translation function Tr is (i) poly- 
nomial, if for all X and T, the time required to compute Tr((X,T)) is poly- 
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nomial in ||(X,7)||, (ii) faithful, if for all X and T, the propositionally con- 
sistent extensions of (X,T) and Tr((X,T)) are in one-to-one correspondence 
and coincide up to £, and (iii) modular, if for all X and T, the translation 
Tr((X,T)) = (X',T’ UT) where (X’,T’) = Tr((X,0)). A translation function 
Tr : Ly — Lz is called PFM if it satisfies all the three criteria. 

Note that a modular translation function translates the set of parameters X 
independently of T which remains untouched in the translation. For the purposes 
of this paper, we distinguish also weakly modular translation functions considered 
by Gottlob [9]. A translation function Tr is weakly modular, if for all X and 
T, Tr((X,T)) = (X',T’ Ut(T)) where (X’,T’) = Tr((X,@)) and t is a separate 
translation function for T. Note that the translation of X remains independent 
of the translation of T even in this setting. 

Given two non-monotonic logics Ly and L2, we write Ly prm Lg, if there 
exists a PFM translation function Tr : L; — L2. Then L» is considered to be 
as expressive as [,. In certain cases, we are able to construct a counter-example 
which shows that a translation function satisfying our criteria does not exist. We 
use the notation LD, hu Lz in such cases and we may also drop any of the three 
letters (referring to the three criteria) given that the corresponding criterion is 
not needed in the counter-example (note that L, ne Dz implies Ly, cen Ly, for 
instance). Further relations are definable for non-monotonic logics in terms of 
the base relations pra and pm : (i) Ly is less expressive than Ly (denoted by 
Ly Pre Lz) if Ly erm Lg and Ly re Ly, (ii) L, and Le are equally expressive 
(denoted by Ty PPM L2) if Ty PPM Lg and LI» PPM Ih, and (iii) Ty and Lg are 
mutually incomparable (denoted by Ly a Lo) if Ly nee Lz and Lz sera Ty. 

In Fig. 1, we have depicted the current EPH us- 


ing only single representatives of the classes that have DE 

been obtained from DL via syntactic restrictions. Nor- Za * 

mal DL (NDL) is based on defaults of the form a8 NDL <  PDL 
In prerequisite-free DL (PDL) only defaults of the form > A 
Phe are allowed. The third variant (PNDL) is a PNDL 
hybrid of NDL and PDL with defaults of the form ©, a 


The semantics of these syntactic variants is determined 
by Reiter’s extensions. Recall that CL stands for propo- 
sitional logic. The reader is referred to [12,13] for the 
complete EPH with 11 non-monotonic logics. 


Fig. 1: Classes of EPH 
Represented by Syntac- 
tic Variants of DL 


5 A Weakly Modular Translation 


The goal of this section is to generalize the translation proposed by Janhunen 
et al. [14] so that the stationary extensions of a default theory (D,T) can be 
captured with the (Reiter-style) extensions of the translation. For a while, we 
restrict ourselves to the case of normal logic programs in order to explain the 
ideas behind the translation function Trappr discussed in the introduction. The 
way to represent partial models of a normal logic program P is to introduce a 
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new atom a® for each atom a that appears in P. The intuitive reading of a° 
is that a is potentially true. Then undefined atoms are captured with a total 
model WN as follows: an atom a is undefined in a partial model if and only if a is 
false in N and a® is true in N. The translation Trarp(P) is obtained as follows: 
a rule of the form a < by,...,bn,~C1,...,~Cm is translated into two rules 
a< by,...,bn,~cf,...,~c%, and a® — bf,...,b%,~c1,...,~Cm. In addition, a 
rule of the form a® < a is introduced for each atom a that appears in P. Rules 
of the latter type make sure that any atom that is true is also potentially true 
(cf. Section 1). As a result of this transformation on the rules of P, the stable 
models of Trarp(P) capture the alternating fix-points of P exactly. 

Let us now devise an analogous translation for a default theory (D,T) in a 
propositional language £(A). A new atom a® is introduced for each atom a € A 
and we define A® = {a*|a © A} for any set of atoms A C A. Since propositional 
logic is based on a much richer syntax than bare atoms, we have to find a way to 
express that an arbitrary sentence ¢ € L is a potential conclusion (i.e. a member 
of E’ in Definition 2). As a solution, we introduce a sentence ¢° for each ¢ € CL. 


Definition 3. The sentences @ of L(A) are translated by the following rules: (i) 
(T)° =T, (i) (L)° = 1, (ti) (a)° = a° for an atoma € A, (iv) (nv)* = 7(W)*, 
and (v) (w1 0 W2)* = (1)° 0 (w2)® for any connective o € {A,V, >, c}. 


By this definition, any sentence ¢ € L(A) is translated into a sentence ¢° 
in the propositional language L° based on A®. For instance, (=a > (b V ))° is 
rewritten as ma® — (b® V L). For a theory T C £ and a set of inference rules 
R in £, we let T® and R® stand for the theory {¢°|¢€ T} C L° and the set 
of inference rules {% | ae R} in £L°, respectively. The following lemmas state 
some useful properties of theories involving sentences from £ and L°. 


Lemma 1. Let T C L(A) and S C L(A) be theories so that S* C L°(A®) and 
TUS* CL(AUA®). Consider any ¢ € L(A). Then (i) (TUS*)*T & T*T 
and S* «xT, (it) if S*°*T, then (TUS*)*d6@T «xd andTUSTE OG STE®, 
and (iii) if T * T, then (TUS®*) «6° = S* x d* and TUS* EG ST’ ES. 


Lemma 2. Let T be a propositional theory in L(A) and ¢ € L any sentence. 
Then it holds that (i) T*¢ T° *¢*, j)TEOST* EO, (ii) [Cn(T)]° = 
Cn(T*), and (iv) (Cn®(T)]° = Cn® (T°). 


The generalization of Trapp for default theories follows. 

Definition 4. For any default theory (D,T) in L(A), let Trsti((D,T)) = 
({2BuaBo Py Ba” | Phe € D} U{4 |v € Cseq(D)}, TUT"). 
The intuition behind the translation is to capture a stationary extension E 


of (D,T) as well as the associated set of potential conclusions E’ with an exten- 
sion Cn(E U (E’)*) of the translation Trgr1((D,T)). The defaults of the forms 
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vite and age capture the closures Cn?’ (T) and (Cn? (F))., re- 
spectively. The latter closure (i.e. (E’)*) is encoded in £° rather than L. The 
defaults of the form = enforce the relationship EF C E’, i.e. actual conclusions 
have to be potential as well. Using Lemmas 1 and 2, we may compute the reduct 
of the set of defaults D’ involved in the translation Trsri((D, T)). 


Proposition 1. Let (D,T) be a default theory in L(A) and (D'’,TUT®) the 
translation Trgri({D,T)) in L'(AU A®). Moreover, let E = Cn(£, U E2°) hold 
for propositionally consistent theories Ey and E2 in L. Then for med ED, 


(i) 5 €D'y & £E Dp, (ii) £ € D'g & & € Dp, and (ti) & € D'p. 


Using these relationships of D’g, Dz, and Dg, as well as Lemmas 1 and 2, 
it can be shown that Trgr; captures stationary extensions in the following way. 


Theorem 1. Let (D,T) be a default theory in L(A) and (D',T UT®) the trans- 
lation Trsti((D,T)) in L'OAU AS). If Fy CL is a strongly propositionally con- 
sistent stationary extension of (D,T) and Ey = Cn?*1(T), then E = Cn(E, U 
E2°) CL’ is a propositionally consistent extension of (D’,TUT*®). 


Theorem 2. Let (D,T) be a default theory in L(A) and (D',T UT*®) the trans- 
lation Trsti((D,T)) in L(AU AS). If E C L’ is a propositionally consistent 
extension of (D',TUT®), then E, = ENC is a strongly propositionally con- 
sistent stationary extension of (D,T) such that Ez = {¢ € L| d° € E} satisfies 
E, = Cn?*1(T). 


A shortcoming of the translation function Trgy; is that it is unable to cap- 
ture stationary extensions of a default theory (D,T) that are propositionally 
consistent but not strongly propositionally consistent. In other words, Trsr1i 
is not faithful in the sense it is required in Section 4. Let us recall the set of 


defaults D = {4 = a — } from Section 3 in order to demonstrate this fea- 
ture of Trst1. The a Trsri((D, 0)) = (D’,0) where the set of defaults 
Dis Re, ceat ena, Tne sey 7 eG, %, =}. The default theory (D’,0) has 


two extensions £5 = Cn(fa, a®,b,b*}) and £4 = Cn({-a,-7a°,b,b*}) corre- 
sponding to the stationary extensions E2 = Cn({a,b}) and E3 = Cn({-Aa, b}) 
of (D,). However, there is no extension corresponding to the stationary exten- 
sion £, = Cn({b}) of (D,), since E; is not strongly propositionally consistent. 
Nevertheless, the translation function Trgt, is very close to being faithful. 


Theorem 3. Let (D,T) be a default theory in L(A) and (D',T UT®) the trans- 
lation Trsti((D,T)) in L'(AUA®). Then the strongly propositionally consistent 
stationary extensions of (D,T) and the propositionally consistent extensions of 
(D'’,T UT®) are in one-to-one correspondence and coincide up to L. 


There is a further reason to consider Trgr; as an unsatisfactory transla- 
tion function: it is only weakly modular. This is because Trgy duplicates the 
propositional subtheory T in £°, i.e. it forms the theory TU T°. To enforce 
full modularity, we should generate T° in terms of defaults. It is shown in the 
following that this is not possible if we wish to keep Trgy; polynomial. 
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Proposition 2. It is impossible to translate a finite set of atoms A into a fixed 
set of defaults D in L'(AU A®) such that (i) the time needed to translate A is 
polynomial in |A| and (ti) for all T C L(A), the theory (D,T) has a unique 
extension E = Cn(TUT®) CL’. 


Proof. It is worth stating some relevant properties of propositional logic. Con- 
sider a fixed propositional language £(A) based on a finite set of atoms A. Any 
two propositional theories T; C £L and T> C L£ are considered to be £L-equivalent 
if Cn(T,) = Cn(T2). Consequently, there are 22'"' different propositional theo- 
ries T in £ up to £L-equivalence. This is because the models of any propositional 
theory T C £ form a subset of the set of all interpretations {J | J. C A} which has 
the cardinality QlAl_ Of course, the number of different theories TC £ becomes 
infinite if £-equivalence of theories is not taken into account. Let us also recall 
that it is possible to represent any theory T C C in a disjunctive normal form 
$1 V...V dn based on the models M; C A of T such that each disjunct ¢; is a 
conjunction of the literals in {a]a © M;}U{7a]ae A-— Mj}. 

Let us then assume that A can be translated into a fixed set of defaults D 
in £'(AU A?®) such that (i) and (ii) hold. Consequently, the length ||D]| is also 
majored by a polynomial p(|.A|). Moreover, the unique extension of (D,T) is 
of the form Cn(T UI) C L’ where I’ C Cseq(D) [16] regardless of the choice 
for T. It is clear that p(|A|) provides also an upper limit for |Cseq(D)|. Since 
T CL, the theory E = Cn(T UT) has at most 2?(l4) different projections with 
respect to £L° up to £°-equivalence. Let us then consider a sufficiently large set 
of atoms A such that p(|A|) < 2!4! (this is possible regardless of the polynomial 
p(|Al|)) and the set of defaults D obtained as a translation. Now the number 
of different propositional theories in £° (up to £°-equivalence) exceeds that of 
projections Cn(T UI) 1 L° (up to L°-equivalence). Consequently, there is a 
theory S*® C £° which is not propositionally equivalent to any of the projections 
Cn(TUL)OL° where T C £ and I’ C Cseq(D). This means that (D,S') cannot 
have an extension F such that EM £L° = S*. But this would be the case if (D, S) 
had a unique extension EF = Cn(SU S*), a contradiction with (ii). 


However, there is a modular but exponential translation of A into a set of 
defaults that satisfies the second criteria of Proposition 2. Given a finite set of 
literals L = {l,,...,l,}, we write \/ L to denote the sentence 1, V...Vl,. A set of 
atoms A is translated into a set of defaults D = (Ya |L C AU {nalae A}}. 
The length of D grows exponentially in |A]. Since each finite T C L(A) is 
equivalent to a sentence (YW Li) A... A (VY Zp) in a conjunctive normal form 
where each L; C AU {7a|a € A}, it is clear that the unique extension E of 
(D,T) contains exactly the logical consequences of (\V Li) A... A (YW Ln) and 
(VLIi°)A...A(V £n°). Thus £ = Cn(T UT®) results for all TC L(A). 


6 A Fully Modular Translation 


The analysis in Section 5 reveals two weaknesses of the translation function 
Trsti1, as it is only weakly modular and it is not faithful, i.e. it does not cap- 
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ture all propositionally consistent stationary extensions. In this section, we shall 
consider another technique in order to overcome these shortcomings of Trg71. 
The technique is adopted from [1] where Bonatti and Eiter embed DL into PDL 
(such a translation cannot be PFM, as indicated by the classes of EPH [13]). 
In their approach, new atoms are introduced as guards (i.e., as antecedents of 
implications) in order to encode several propositional theories in one. 

Before demonstrating guarding atoms in practice, let us introduce some 
notation. Given T C L(A) and a new atom g ¢ A, we let T® denote the 
theory {g > ¢|¢€ T} where the sentences of T are guarded by g. Similarly 
for a set of inference rules R in £(A) and a new atom g ¢ A, we define 
ce = {5 | $ € R}. Then consider propositional theories T, = {a,a — b} and 

= {nb}. Using guards g; and gg, we define a theory T = T® UT® = 
a a,g1 — (a— b),g2 — —b}. The guards g; and go let us distinguish the 
two subtheories within 7. For instance, T | g; — b holds, since T; - b holds. 
Moreover, we have that T’ | gz — —b, because T> - —b holds. It is also possi- 
ble to combine guards: T — g; A gz — L holds, since T; U T) is propositionally 
inconsistent. Note that T remains propositionally consistent although this is the 
case. Let us then state some useful properties of theories and sentences involving 
one guarding atom (a generalization for multiple guards is also possible). 


Lemma 3. Let T; and T be propositional theories in L(A) and g ¢ A a new 
atom. Then it holds for any ¢ € L that (i) (Ty U(T2)®)* @ & T, * &, (ii) 
(T1 U (T2)® ) x (g A Os (Ti U T2) * dg, (itt) T,U (T2)® [= 0) T; F= oO) and (iv) 
T, U (T2)® Eg-o@eT, UT E @. 


Our forthcoming translation will use only one guarding atom, namely p, 
which refers to any “potential” conclusion associated with a stationary exten- 
sion. This resembles our previous approach in which a potential conclusion ¢ is 
encoded as ¢°. Given a stationary extension E, and Ey = Cn?¥1(T), our idea 
s (i) to include Fj (i.e. the set of conclusions) without guards and (ii) to repre- 
sent EF (i.e. the set of potential conclusions) using p as a guard. This approach 
provides an implicit encoding of the inclusion E; C Ey, since EF ¢ > (p > ¢) 
holds for any propositional sentence @ € £. This is the key observation that lets 
us to define a fully modular translation: there is no need to provide a separate 
translation for the propositional subtheory T (in contrast to Trgr1). 


Definition 5. For any default theory (D,T) in L(A), let Trsra((D,T)) = 


({SPAPrPA Pn ee | oPi Pn ED); 


where p is a new atom not appearing in A. 


Using the first two items of Lemma 3, the reduct of the set of defaults intro- 
duced by Trgrz may be computed. 


Proposition 3. Let (D,T) be a default theory in L(A) and (D',T) the trans- 
lation Trgr2((D,T)) in L'(A U {p}). Moreover, let E = Cn(E, U (E2)?) and 
Ey, C E» hold for theories Ey and Ey in L. Then it holds Ss any default 
ay — Mr ols € TD) that (i) PS € D'e @ 5 € Dz, and (ti) § € D'g & 5 € Dry. 
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By the theorems that follow, we shall establish that Trsr2 fulfills the re- 
quirements set up in Section 4. In contrast to Trgq71, the translation function 
Trgr2 is modular and it captures also propositionally consistent stationary ex- 
tensions which are not strongly propositionally consistent. As a matter of fact, 
even propositionally inconsistent stationary extensions are captured by Trgro. 


Theorem 4. Let (D,T) be a default theory in L(A) and (D’,T) the translation 
Trgr2((D,T)) in L'(AU {p}). If Fy CL is a stationary extension of (D,T) and 
Ey = Cn?*2(T), then E = Cn(E, U(E2)’) CL’ is an extension of (D',T). 


Proof sketch. Let E, be a stationary extension of (D,T) and Ey = Cn?*1(T). 
Then define the theory E = Cn(E, U(E2)") C L’. Since E, C Fa, it follows 
by Proposition 3 that D’~ = Dr, U (Dz,)?. It remains to be established that 
CnP224(Pe.)"(T) = Cn(E, U (E2)?). (C) It can be shown by Lemma 3 that 
Cn(E£ U (E2)°) has sufficient closure properties: (i) TC Cn(E1 U (£2)°), (ii) if 
< € Dp, and a € Cn(£; U(£2)”), then also y € Cn(E£, U(E2)"), (iii) if GES) € 
(Dp,)? and (p > a) € Cn(E, U (E2)?), then also p > y € Cn(F; U (E2)°), and 
(iv) Cn(£, U(E2)?) is propositionally closed in £’. (D) It can be shown that T’ = 
CnP#2(Pe1)"(T) shares the essential closure properties of Ey = Cn?”2(T) C £L 
and (Ez)? = Cn'?#1)" (T°) C LP: (i) TCT’ and T? CT’, (ii) T’ is closed under 
the rules of Dg, and the rules of (Dp, )’, and (iii) T’ is propositionally closed in 
Land L?. Thus FE, CT’ and (FE)? C T’ so that Cn(£, U(E2)") C T” holds. 


Theorem 5. Let (D,T) be a default theory in L(A) and (D',T) the translation 
Trsre((D,T)) in L(A U {p}). If EB C L’ is an extension of the translation 
(D',T), then Ey = EN EL is a stationary extension of (D,T) such that FE, = 
{gE L\|p— ¢€ E} satisfies Ey = Cn?*1(T). 


Proof sketch. Let E = Cn? ®(T) be an extension of (D’,T) and let E; and E» 
be defined as above. Moreover, define I, = {y| - € D'g anda € FE} and In = 
{y| E=5 € D'p and p> ae EF}. It follows by a characterization of extensions 
[16] that EF = Cn(TU ry U (I2)?). Thus Ey = Cn(TU I), E> = Cn(TU ry UT») 
and E = Cn(E; U(£2)?) hold by Lemma 3. It follows that E, C Eo. 

(A) It is established that Ey = ENL equals to Cn?*2(T). (C) Consider any 
o € E, so that ¢ € L, dé € E and ¢ is D’g-provable from T in i > 0 steps. It 
can be proved by induction on i that ¢ € Cn?#2(T) holds using Lemma 3 and 
Proposition 3. (2) It can be shown using Proposition 3 that EF, has the closure 
properties of Cn?*2(T): (i) T C Ey, (ii) if = € Dp, and a € Ej, then also 
y € Fy, and (iii) EB, = EN CL is propositionally closed in LC L’. 

(B) It remains to be shown that Ez equals to Cn?*1(T). (C) Consider any 
@ € Ep. It follows that ¢ € Land p> @€ EL, i.e. p> Gis D’ g-provable from T 
in i > 0 steps. Then it can be proved by induction on i that ¢ € Cn?*1(T) holds 
using Lemma 3 and Proposition 3. In particular, note that EF, C E>, implies 
Dp, © Dp,. (2) It can be shown by Proposition 3 that E2 shares the closure 
properties of Cn?*1(T): (i) T C Ea, (ii) if = € De, and a € Ey, then also 
y € Fa, and (iii) Eo = {6 € L| p > ¢ € E} is propositionally closed in L. 
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Theorem 6. Let (D,T) be a default theory in L(A) and (D',T) the translation 
Trsra((D,T)) in L'(AU {p}). Then the stationary extensions of (D,T) and the 
extensions of (D’,T) are in one-to-one correspondence and coincide up to L. 


Proof sketch. Theorems 4 and 5 provide us two implicit mappings. The first one 
maps a stationary extension EF C £ of (D,T) to an extension m;(£) = Cn(£U 
(E’)?) of (D',T) where E’ = Cn?*(T). The second one maps an extension 
E CL’ of (D’,T) to a stationary extension mo(£) = ENC of (D,T). Using 
Lemma 3 and the proof of Theorem 5, it can be shown that m; and mg are 
injective and inverses of each other. Moreover, the extensions involved in the 
one-to-one correspondence coincide up to £ by the definition of mg. 


From now on, our goal is to to locate the exact position of STDL in EPH 
[12,13]. The results established so far let us draw the first conclusion in this 
respect. The translation function Trgr2 is PFM by Definition 5 and Theorems 4— 
6 (restricted to propositionally consistent extensions). We conclude the following. 


Corollary 1. STDL pra DL. 
Theorems 7 and 8 establish that STDL resides between CL and DL in EPH. 
Theorem 7. STDL erm DL. 


Proof. Consider a set of defaults D = {#, 2} in L based on A = {a}. The de- 
fault theory (D,@) has two propositionally consistent extensions: E, = Cn({a}) 
and E2 = Cn({7a}). Suppose there is a PFM translation function Tr that maps 
(D,0) to a default theory (D’,T’) in £L’ based on A’ D A such that the propo- 
sitionally consistent extensions of the former and the propositionally consistent 
stationary extensions of the latter are in one-to-one correspondence and coincide 
up to £. Then the translation (D’,T’) has at least one propositionally consis- 
tent stationary extension E by the one-to-one correspondence of extensions. 
Consequently, the least stationary extension F of (D’,T") is also propositionally 
consistent, since F’ is contained in E which is propositionally consistent. 

Then consider the extension of (D,@) corresponding to F' which is either 
FE, or FE. Let us analyze the case that E, corresponds to F' (the case that E2 
corresponds to F' is covered by symmetry). Since a € Fj, it follows that ac F 
by the faithfulness of Tr. Then let E£’ be the stationary extension of (D’,T’) 
corresponding to EF. Since F C E” it follows that a € E’. Thus a € E» by the 
faithfulness of Tr, a contradiction. Hence DL ee STDL and DL eae STDL. 


Theorem 8. CL pra STDL. 


Proof. The unique extension associated with a classical propositional theory 
T C L(A) is Cn(T). Consider the translation function Tr(T) = (0,7). It is clear 
that the default theory Tr(T) has a unique stationary extension E = Cn®#(T) = 
Cn°(T) = Cn(T) regardless of T. Thus CL pra: STDL. 
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Then consider the set of defaults D = ae +2} and the possibilities of 
translating the default theory (D, 0) under stationary extensions into a classical 
propositional theory T’. Now (D,@) has three stationary extensions, namely 
Fy, = Cn(0), Ey = Cn({a}) and £3 = Cn({b}). However, the translation has 
only one extension Cn(T’). Hence STDL % CL and STDL pfx; CL. 


The set of defaults D involved in the proof of Theorem 7 is normal and 
prerequisite-free. We may conclude the following by the same counter-example. 


Corollary 2. NDL sk; STDL, PDL if, STDL and PNDL if, STDL. 


It remains to explore whether STDL is captured by PDL, PNDL and NDL. 


Theorem 9. STDL 5Z,, PDL and STDL py, PNDL. 


Proof. Consider the set of defaults D = {#, 2=} (adopted from [9, Theorem 
3.2]) and the theories T; = {a}, Tz = {a— b} and T3 = {a,a— b} in L(A) 
where A = {a,b}. Each default theory (D,T;) where 7 € {1,2,3} has a unique 
propositionally consistent stationary extension EF = Cn({a,b}). Then suppose 
that there is a PFM translation function Trpp, from STDL to PDL. Let (D’,T’) 
be the translation Trppri((D,0)) in £'(A’) where A’ D> A. Since Trpprz is modu- 
lar, we know that Trppi((D, 7;)) = (D’,T’ UT;) holds for every 7 € {1, 2,3}. By 
the faithfulness of Trppz, each default theory (D’,T’ UT;) with 7 € {1, 2,3} has 
a unique propositionally consistent extension E/ such that E = ESM L. Since D’ 
is prerequisite-free, each extension E is of the form Cn(T” U T; UI) where I; 
is the set of consequents {7+ | Bhan € D' and Vj € {1,...,n}: Ei « Bj}. 

Since a> b € ENE, it follows that a — b € FE} holds for FE, = Cn(T’ UT, U 
I\). Thus FE} = Cn(T’ UT3 UI)) so that E} is also a propositionally consistent 
extension of (D’,T’UT3). On the other hand, it holds that a © EM L. Thus 
a € £5 holds for Ef = Cn(T’ UT> UT4). It follows that £5 = Cn(T’ UT3 UL»), 
i.e. ES is also a propositionally consistent extension of (D’,T’ U T3). 


Then E} = E5 = E% is the case, as E% is the unique propositionally consistent 
extension of (D’,T’ U Ts). It follows that [y = Iz = I3 as well. Thus we let E”’ 
denote any of E}, ES and E%, as well as I’ any of 1, [2 and I}. Recall that 
E’ is a propositionally consistent extension of (D’,T’ UT,) and b € E’, since 
b € E. It follows that T’U {a} UI — b as well as that T’ UI / a— b. Thus 
E’ = Cn(T’UTLUL) = Cn(T’UL) holds, indicating that E’ is also an extension of 
(D’,T’). A contradiction, since a € FE’ and b € E’, but the unique propositionally 
consistent stationary extension of (D,@) is Cn(@). Hence STDL pfx, PDL. 

Let us then assume that STDL prem PNDL. Since PNDL prm PDL holds by 
the classes of EPH, we obtain STDL pra PDL by the compositionality of PFM 
translation functions [13], a contradiction. Hence STDL pfs; PNDL. 
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Theorem 10. STDL pax, NDL. 


Proof. Consider a set of defaults D = {25} and a theory T = {a} in L({a}). Note 
that the default theory (D,T) has no propositionally consistent stationary ex- 
tensions. Suppose there is a PFM translation function Tr such that Tr((D,T)) = 
(D’,T’ UT) is a normal default theory which guaranteed to have an extension 
E’ [22]. Since Tr is faithful, E’ must be propositionally inconsistent. Thus T’ UT 
must be propositionally inconsistent [22]. It follows that T’ — 7a. 

On the other hand, the default theory (D,) has a propositionally consis- 
tent stationary extension H = Cn(). By modularity, the translation Tr((D,0)) 
is (D',T’). By faithfulness, the translation (D’,T’) has a corresponding propo- 
sitionally consistent extension F = Cn? *(T’) such that E = FM CL. Since 
T’ — 2a, it follows that a € F. A contradiction, since 7a ¢ EF = Cn(Q). 


By the theorems presented, STDL is incomparable with PDL, PNDL and 
NDL. Thus STDL is located in its own class of EPH (not present in Fig. 1). 


6.1 Regular Extensions 


Let us address a further semantics for default logic which is obtained as a gen- 
eralization of regular models proposed for normal logic programs by You and 
Yuan [26]. An alternating fix-point M of a normal logic program P is a regular 
model of P if there is no alternating fix-point M’ of P such that Mc M’. In 
this way, regular models minimize undefinedness. Stable models of P are also 
regular models of P but in general, a normal logic program may possess more 
regular models than stable models. Regular extensions are definable for default 
theories in an analogous fashion as maximal stationary extensions. 


Definition 6. A stationary extension E of a default theory (D,T) is a regular 
extension of (D,T) iff (D,T) has no stationary extension E’ such that E Cc E’. 


Despite this maximization principle, stationary and regular extensions be- 
have very similarly under the brave reasoning approach. More precisely, a query 
@ belongs to some regular extension E of a default theory (D,T) if and only if 
@ belongs to some stationary extension of (D,T). By this tight interconnection 
of decision problems, Gottlob’s complexity results [7,8] imply that brave reason- 
ing with regular extensions forms a S}-complete decision problem in analogy 
to brave reasoning with stationary extensions. The results of this paper enable 
implementing brave reasoning with stationary and regular extensions. In addi- 
tion to an inference engine for brave reasoning with Reiter’s extensions (such 
as the system DeReS [2]) we need a program that computes the translation 
Trsro((D,T)) for a default theory (D,T) given as input. 


7 Conclusions and Future Work 


In this paper, we have analyzed the possibilities of reducing stationary default 
logic (i.e., default theories under stationary extensions) to Reiter’s default logic 
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(i.e., default theories under Reiter’s extensions). It turned out that the transla- 
tion function proposed for normal and disjunctive logic programs [14] does not 
generalize for default theories in a satisfactory way. In fact, it is established in 
Section 5 that a PFM translation function cannot be obtained using a similar 
technique. Fortunately, guarding atoms provide an alternative technique that 
leads to a PFM translation function in Section 6. This is how we obtain further 
evidence for the adequacy of PFM translations, because even non-monotonic 
logics with a partial semantics can be classified using the existence of a PFM 
translation function as the criterion. It is also interesting to note that Trg 
does not specialize for normal nor disjunctive logic programs, since conditional 
inference with guards is not supported by them. However, the situation could 
be different if nested logic programs [15] are taken into consideration. Moreover, 
the properties of stationary and regular extensions and the translation function 
Trgr2 enable implementing brave reasoning with stationary and regular exten- 
sions simply by using existing implementations of DL (such as DeReS [2]). 

By the theorems presented, the stationary default logic (STDL) is strictly 
less expressive than default logic (DL), but strictly more expressive than clas- 
sical propositional logic (CL). Moreover, STDL is incomparable with the other 
representatives of the classes of EPH: NDL (normal DL), PDL (prerequisite-free 
DL) and PNDL (prerequisite-free and normal DL). Thus STDL determines a 
class of its own between CL and DL. This is quite understandable, since STDL 
is the only non-monotonic logic based on a partial semantics and located in 
EPH. Nevertheless, the results of this paper indicate that EPH can be extended 
further with semantic variants of default logic. Only weak default logic (WDL) 
has been considered earlier while a number of syntactic variants have been al- 
ready classified. One obvious way to extend EPH is to analyze syntactic variants 
of default logic under stationary extensions. Moreover, analogs of stationary 
extensions [10,3] have been proposed for Moore’s autoepistemic logic [18] and 
Reiter’s closed world assumption (CWA) [21] can be understood as the “station- 
ary counterpart” of McCarthy’s circumscription [17] as shown in [11]. It seems 
that a partial fragment of EPH can be established by comparing STDL with 
these logics such that STDL links this fragment to the rest of EPH. 
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Abstract. We present an abductive mechanism that works as a robust 
parser in realistic tasks of Natural Language Processing involving in- 
complete information in the lexicon, whether it lacks lexical items or the 
items are partially and/or wrongly tagged. The abductive mechanism 
is based on an algorithm for automated deduction in Lambek Calcu- 
lus for Categorial Grammar. Most relevant features, from the Artificial 
Intelligence point of view, lie in the ability for handling incomplete infor- 
mation input, and for increasing and reorganizing automatically lexical 
data from large scale corpora. 


1 Introduction 


1.1 Logic and Natural Language Processing 


Natural Language Processing (NLP) is an interdisciplinary field where lots of re- 
search communities meet. Out of all NLP objectives, parsing is among the basic 
tasks on which other treatments of natural language can be founded. Develop- 
ment of efficient and robust parsing methods is a pressing need for computational 
linguistics; some of these methods are also relevant to Logic in AI whether they 
are founded on Logic or they use AI characteristic techniques. 

Lambek Calculus (LC) for Categorial Grammar (CG) is a good candidate 
for developing parsing techniques in a logic framework. Some of the major ad- 
vantages of CG lie in: (a) its ability for treating incomplete subphrases; (b) it is 
(weakly) equivalent to context free grammars, but (c) CG is radically lexicalist, 
it owns no (production) rule except logical ones; therefore, (d) syntactic revisions 
are reduced to type reassignments of lexical data of a given lexicon. 

On the other hand, the Gentzen-style sequent formulation of LC for CG also 
presents several attractive features: (a) a well-known logical behaviour —LC 
corresponds to intuitionistic non-commutative multiplicative linear logic with 
non empty antecedent; (b) the cut-rule elimination, and hence the subformula 
property that is desirable with regard to its implementation. 


* Partially supported by grant no. PB98-0590 of the Comisién Interministerial de 
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When it comes to using LC in realistic tasks of NLP, one must admit that 
LC has two possible disadvantages: (a) its complexity is unknown; (b) in so 
far as it is equivalent to context free grammars, LC cannot account for several 
linguistic phaenomena. These limitations accepted, we encounter another kind of 
dificulties: the realistic tasks of NLP involve characteristic problems that cannot 
be solved by the sole use of deductive systems. A deduction is always something 
closed, in accordance with immovable rules; however our language understanding 
is robust enough and it succeeds even if partial information is lacking. 


1.2. Learning and Revising Data 


The AI researches intend to enlarge the logical machinery from the precise math- 
ematical reasoning to the real situations in the real world. That means, for ex- 
ample: to learn from experience, to reorganize the knowledge, to operate even if 
the information is incomplete. The task of building robust parsers comes right 
into the goals of AI in a natural way. 

The (informal) notion of robustness refers to the indifference of a system to 
a wide range of external disruptive factors [Ste92], [Men95]. Out of all desirable 
properties of a robust parser we focus on two ones chiefly: (a) a robust parser 
has to work in absence of information (hence it must learn from data); (b) a 
robust parser has to revise and to update the information. 

In the last years, the idea that systematic and reliable acquisition on a large 
scale of linguistic information is the real challenge to NLP has been actually 
stressed. Moreover, currently available corpora make it is possible to build the 
core of a grammar and to increase the grammatical knowledge automatically 
from corpora. Two strategies vie with each other when it comes to approach- 
ing the specific problems of NLP we refer before: statistical versus rule-based 
strategies. From an engineering point of view, statistical extensions of linguistic 
theories have gained a vast popularity in the field of NLP: purely rule-based 
methods suffer from a lack of robustness in solving uncertainty due to overgen- 
eration (if too many analyses are generated for a sentence) and undergeneration 
(if no analysis is generated for a sentence) [Bod98]. We think this ‘lack of robust- 
ness’ can be filled in the AI intention using abductive mechanisms that enlarge 
the deductive systems. 


1.3. Abductive Mechanisms 


We use the terms ‘abductive mechanism’ in a sense that may require a deeper 
explanation. 

A deductive logical system typically offers a ‘yes/no’ answer to a closed ques- 
tion stated in the language of this logic. The two situations pointed out above 
can be found whenever we try to use a deduction system in realistic tasks of 
NLP: 

(a) Lack of information in the lericon. Thus, we have to use variables that do 
not belong to the logical language —a(X )— for unknown values . An equivalent 
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problem in classical logic would be the following task: pV q,p — r, X Fr. Stated 
in this way, it is not a deduction problem properly. 
(b) A negative answer merely: F a. 

In both cases we could consider we have a theory (here, the lexicon, L) and a 
problem to solve: how the lexicon has to be modified and/or increased in order 
to obtain a deduction: 

(a’) Lt Substta(X), where A belongs to the used logical language; 
(b’) L + G, where ( is obtained from a according to some constraints. 

That is precisely what we have called ‘abductive’ problems (inasmuch as it 
is not a new rule, but new data that have to be searched for), and ‘abductive 
mechanism’ (as the method for its solution). One matter is the logical system 
on whose rules we justify a concrete yes/no answer to a closed question, and 
another matter is the procedure of searching for some answer, that admits to be 
labelled as abductive. 

Our purpose is to introduce an abductive mechanism that enlarges LC in 
order to obtain a robust parser that can be fruitfully employed in realistic ap- 
plications of NLP.! 


1.4 State-of-the-Art in Categorial Grammar Learning 


Large electronic corpora make the induction of linguistic knowledge a challenge. 
Most of the work in this field falls within the paradigm of classical automata and 
formal language theory [HU79], whether it uses symbolic methods, or statistical 
methods, or both.? As formal automata and language theory does not use the 
mechanisms of deductive logics, the used methods for learning a language from 
a set of data are not abductive or inductive mechanisms. Instead, they build an 
infinite sequence of grammars that converges in the limit. 

This being the background, much of the work about learning Categorial 
Grammars deals with the problem of what classes of categorial grammars may 
be built from positive or negative examples in the limit.? This approach manages 
corpora that hold no tags at all, or that are tagged with the information of which 
item acts as functor and which item acts as argument. 

The difference between those works and ours is that the former ones (a) have 
a wider goal—that of learning a whole class of categorial grammars from tagged 
corpora—, and (b) that they do not make use of any abductive mechanism, but 
follow the steps made in the field of formal language theory. 


' Currently, LC seems to be relegated to an honourable logical place. It is far from 
constituting an indispensable methodology in NLP. Let us use the TMR Project 
Learning Computational Grammars as an illustration. This project “will apply sev- 
eral of the currently interesting techniques for machine learning of natural language 
to a common problem, that of learning noun-phrase syntax.” Eight techniques are 
used. None is related to LC. 

? Cfr. Gold [Gol67], Angluin [Ang80], [AS83], Bod [Bod98] and references therein. 

3 For this approach, cfr. Buszkowski [Bus87a], [Bus87b], Buszkowski and Penn [BP90], 
Marciniec [Mar94], Kanazawa [Kan98]. 
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On the other hand, our work is (i) of a narrower scope—we are only interested 
in filling some gaps that the lexicon may have, or we want to change the category 
assigned by the lexicon to some lexical item when it does not lead to success —, 
and (ii) we use an abductive mechanism. 

Finding the right category to assign to a lexical item is possible because we 
make use of a goal directed parsing algorithm that avoids infinite ramifications of 
the search tree trying only those categories that are consistent with the context. 


2 A Parsing Algorithm Based on Lambek Calculus 


2.1 Lambek Calculus 


First, we introduce the Gentzen-style sequent formulation of LC. The underlying 
basic idea in the application of LC to natural language parsing is to assign a 
syntactic type (or category) to a lexical item. A concrete sequence of lexical items 
(words in some natural language) is grammatically acceptable if the sequent with 
these types as antecedent and the type s (sentence) as succedent is provable in 
LC. 

The language of the (product-free) LC for CG is defined by a set of basic 
or atomic categories (BASCAT) -also called primitive types-, from which we 
form complex categories -also called types- with the set of right and left division 
operators {/,\}: 

If A and B are categories, then A/B, and B\A are categories. 

We define a formula as being a category or a type. 

In the following we shall use lower case latin letters for basic categories, upper 
case latin letters for whatever categories, lower case greek letters for non-empty 
sequences of categories, and upper case greek letters for, possible empty, se- 
quences of categories. 

The rules of LC are [Lam58}: 

1. Axioms: 


2. Right Introduction: /R, \R 


y,Bs>A By=>A 
ys ABO y=> B\A 


3. Left Introduction: /L, \L 


y=>B I,AASC y>B I,AASC 


RABY Ase Pa pAASo 


4. Cut 
y=>A IA ASC 


I,y,A>C 


It is required that each sequent has a non-empty antecedent and precisely one 
succedent category. The cut-rule is eliminable. 


(Cut) 
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2.2 Automated Deduction in Lambek Calculus 


Given a lexicon for a natural language, the problem of determining the gram- 
matical correctness of a concrete sequence of lexical items (a parsing problem) 
becomes into a deductive problem in LC. Therefore, a parsing algorithm is just 
an LC theorem prover. 

LC-theoremhood is decidable. However, LC typically allows many distinct proofs 
of a given sequent that assign the same meaning; this problem is called ‘spurious 
ambiguity’. An efficient theorem prover has to search for (all) non-equivalent 
proofs only. There are in the literature two approaches to this problem, based 
on a normal form of proofs (Hepple [Hep90], Konig, Moortgat [Moo90], Hendriks 
[Hen93]) or on proof nets (Roorda [Roo91]). LC theorem prover we present is 
related to Kénig’s method [K6n89], but it solves problems which are proper to 
Konig’s algorithm. 

First, we introduce some definitions. 


1. Value and Argument Formulae 
1.1. If F =a, then a is the value formula of F; 
1.2. If (i) F = G/H or (ii) F = H\G, then G is the value formula of F’ and 
H is the argument formula of F’. In the case (i), H is the right argument 
formula; in the case (ii), H is the left argument formula. 
2. Value Path 
The value path of a complex formula F' is the ordered set of formulae 
(Ai,...,An) such that A; is the value formula of F and <A; is the value 
formula of Aj_; for 2 <j <n. 
3. Argument Path 
The argument path of a complex formula F is the ordered set of formulae 
(B,,...,By) such that B, is the argument formula of F and B; is the 
argument formula of A;_1, for 2 <j <n, and (Aj,..., An) being the value 
path of F. 
The right (resp. left) argument path of a complex formula F'’ is the ordered 
subset of its argument path owning right (resp. left) argument formulae only. 
4. Main Value Formula 
A is the main value formula of a complex formula F’ whose value path is 
(Ay,...,An) if and only if A= Ay. 
It follows that: (i) if A is a main value formula, then A € BASCAT; (ii) 
every complex formula has exactly one main value formula. 


2.3. The Algorithm 


We now sketch the algorithm implemented in both C language and Prolog. We 
present the algorithm in a pseudo-Prolog fashion in order to provide an easier 
understanding. This is not Prolog, as we have simplified the management of data 
structures and other practical problems of the language. At the same time we 
assume a“try or fail” strategy of control like that of Prolog, as well as mechanisms 
of unification to build data structures. Self-evident procedures (search_value, 
etc.) are not included. 
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procedure proof 
input: data = target 
output: Proof tree if {F data > target}, otherwise FAIL. 
process: 
CASE data = target: RETURN { p>5qstargar (A2)} 


CASE target = A/B: RETURN { 22¢fitata Fe) (/} 


CASE target = B\A: RETURN {ee TR} 
CASE atomic(target): 
LET c := target 
LET (list, lista,...,listn] := search_value(c in data) 
FOREACH list; € [listy, listz,...,listn] DO 
LET [a, F, 3] := list; 


LET [Aj,... , Ax] := left-argument_path(c in F’) 

LET [Bi,... , Bm] := right-argument_path(c in F’) 

LET tree; := STACK reduce([],a,[Az,.-- ,A1]) 
WITH reduce(| J, 3,[Bi,...,Bm]) 


IF tree; = FAIL 
THEN CONTINUE 
t a => 
ELSE RETURN a Terenas <(\L)} 
END FOR 
END procedure proof 


procedure reduce 
input: ({acums], [data], [targets]) 
output: proof tree if {lkzc acums, data > targets}, otherwise FAIL. 
process: 
CASE acums = data = targets = | |]: RETURN {—(empty)} 
CASE targets = [A]: 
RETURN proof(acums, data => A) 
OTHERWISE: 
CASE acums # [] AND length(data) > length(tail(targets)): 
LET tree := STACK proof(acums = head(targets)) 
WITH reduce(head(data) ,tail(data),tail(targets)) 
IF tree # FAIL 
THEN RETURN tree 
ELSE try next case 
CASE length(tail(data)) > length(targets) - 1: 
RETURN reduce(acums-+head (data) ,tail(data),tail(targets)) 
OTHERWISE RETURN FAIL 
END procedure reduce 


2.4 Remarks on the Algorithm 


(i) The proof procedure behaves as expected when input is an axiom. 
(ii) The algorithm decomposes any target complex formula until it has to prove 
an atomic one, c€ BASCAT. 
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(iii) The reduce procedure is the main charasteristic of our algorithm. When we 
have to prove an atomic target, (i) we search for the formulae in the antecedent 
whose main value formula is the same as the atomic target (Fi,... , F,); (ii) for 
each F;,1 <i <n, the left-hand side (resp. right-hand side) of the antecedent 
(with respect to F;) and the left argument path of F; (resp. right argument path) 
have to be cancelled out. The algorithm speeds up the deduction trying to satisfy 
the argument paths of F;. The major advantages are obtained when the length of 
the sequence of data is long enough (note that a sentence in natural language may 
be up to 40 to 50 words long), and argument paths of the formulae are high. This 
property lies in the fact that the reduce procedure cares for still- not-consumed 
data and target formulae remaining to be proved. Efficient implementation for 
this algorithm has to avoid unnecessary calls to proof procedure from the reduce 
procedure, memorizing the proofs already tried. 

(iv) FAIL may be regarded as an error propagating value. If any of the arguments 
of the proof-tree constructors —such as STACK, (|Z), (/R), etc.— is FAIL, then 
resultant proof-tree is FAIL. A sensible implementation should be aware of this 
feature to stop the computational current step and to continue with the next 
one. 


2.5 Properties of the Algorithm 


(1) The algorithm is correct: If the output of proof procedure is not FAIL, then 
the proof tree constructed is a deduction of the input in LC. 

Proof. Every rule we employ is a direct LC rule: axiom, /R, \R. Note that the 
symbol |£ stands for successive applications of /Z and/or \L. The conditions 
needed for applying each rule are exactly the same as they are required in LC. 
Hence, we can construct a proof tree in LC from the output of the proof pro- 
cedure. 
(2) The algorithm is complete: If /ic data => target, then the output of the 
proof procedure is a proof tree. 

The proof follows from (2.1) and (2.2) below: 

(2.1) If there is no deduction in LC for y, B > A, then there is no deduction in 
LC for y > A/B. (Similarly for B,y > A, and 7 > B\A) 

Proof: Let us suppose that there is a proof tree, IZ, in LC for 7 > A/B. 
Case 1: If every rule in JZ is either a L-rule either an axiom, then we follow the 
deduction tree in a bottom-up fashion and we reach the sequent A/B => A/B. 
We can construct a proof I’ from IT in this way: 


B>B A=A 
A/B,B=>A 


Next we apply the rules of JT over A/B that yield y > A/B in I, and we obtain 
in II': y,B=> A. 
Case 2: If there is an application of /R in IT that yields 


6,B>A f 
iw a 
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but it is not at the bottom of IT, we can postpone the application of the /R rule 
in JJ’ till remaining rules of IT have beeing applied, and so we have in II’ the 
sequent y,B => A. 


We use these properties to decompose any complex succedent until we reach 
an atomic one. 
(2.2) Let c€ BASCAT, and y= 1,.-. 5 Yn (n > 0). 
Iftro y => ¢, then it exists some 7;, (1 < 7 < n) such that: 
(i) c is the main value formula of ¥;; 
(ii) Fro Y1,--. » Y-1 > F 
(iii) IkKno Yj41,---,I%n > A} 
(iv) A deduction tree for y > c can be reconstructed from (ii), (iii), and from 
the axiom c= c. 
(Where (Aj,..., Ax) is the left argument path of y;, ® = (Axg,...,A1), and 
A = (B),...,Bm) is the right argument path of y;). 


The symbol |Fzc¢ stands for the fact that a sequence of formulae (data) 
proves a sequence of target formulae keeping the order. If we consider the Lam- 
bek Calculus with the product operator, e, ® and A can be constructed as the 
product of all A; and all B; respectively, and |kz¢ can be substituted for Fro 
in (ii), (iii). 

Note that (ii) and (iii) state that y1,...,7j;-1 can be split up in k sequences 
of categories (ax,...,a1), and 7;41,--.,Yn can be split up in m sequences of 
categories (31,... , Gm) such that 

(ii’) Fro Qn => An, for l<n<k; 

(iii?) Fro Bn > By, for 1 <n<m. 

Proof: 

Ad (i) No rule except an axiom allows to introduce c in the succedent. Following 
the deduction tree in a bottom-up fashion, successive applications of /L and \L 
are such that (a) the argument formulae in the conclusion turn into the succe- 
dent of the premise on the left; (b) the value formula remains as part of the 
antecedent of the premise on the right; (c) the succedent of the conclusion re- 
mains as the succedent of the premise on the right — note that this ordering 
of the premises is always possible. Therefore we will reach the sequent c > c 
eventually, being c the main value formula of 7;. 
This property allows us to restrict, without loss of completeness, the application 
of the L-rules to complex formulae whose main value formula is the same as the 
(atomic) target succedent. 

Ad (ii) Let #pc y = c. The only possibility of introducing A, as a left argument 
formula of 7; is from a L-rule. Hence, it exists some a, such that Frc Qn => An, 
because of ay, = Arp is the left-hand side premise of the L-rule. Otherwise, Ay, 
together with c have to be introduced as an axiom, but the succedent is supposed 
to be an atomic type. 

Note that we can first apply all L-rules for (/), followed by all L-rules for (\) —or 
vice versa—, whatever the formula may be. That follows from the theorems: 
(a) Hie (A\(B/D))/C + ((A\B)/D)/C 

(b) Fre ((A\B)/D)/C + (A\(B/D))/C 
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(c) kre C\((D\B)/A) + C\(D\(B/A)) 
(a) Fie C\(D\(B/A)) + C\((D\B)/A) 
Ad (iii) Similar to (ii). 
Ad (iv) Immediate from successive applications of /L and \L. 
(3) The algorithm stops. For whatever sequence of data and target, the number 
of tasks is finite, and every step simplifies the complexity of the data and/or the 
target. 
(4) The algorithm finds all different deduction and only once. 

If there are several formulae in 7 such that (i)—(iii) hold, each case corresponds 
to a non equivalent deduction of 7 => c. 

The proof is based upon the fact that property (2.2) may be regarded as the 
construction of a proof-net for y => c (in the equivalent fragment of non- 
commutative linear logic). The axiom c > c becomes the construction of an 
ariom-link, and the points (ii) and (iii) become the construction of the corre- 
sponding sub-proof-nets with no overlap. Different axiom-links produce different 
proof-nets. 


3 An Abductive Mechanism for NLP 


We say a sequent is open if it has any unknown category instance in the an- 
tecedent and/or in the succedent; otherwise we say the sequent is closed. We use 
upper case latin letters from the end of the alphabet (X,Y, Z) for non-optional 
unknown categories, and X*, Y*, Z* for optional unknown categories. 


3.1 Learning and Discovery Processes 


We would consider two abductive mechanisms that we shall call learning and 
discovery processes, depending on the form of the target sequent. Discovery 
processes are related to tasks involving open sequents; learning processes are 
related to tasks involving closed sequents. 


1. Given a closed sequent, we may subdivide the possible tasks into: 

(a) Grammatical correctness: to check either or not a sequence of data yields 
a target, merely. This is the normal use of LC. 

(b) If a closed sequent is not provable, we can introduce a procedure for 
learning in two ways: according to data priority or according to target 
priority. 

i. If we have certainty about data, and a closed target is not prov- 
able from them, we remove the given target and we search for a 
(minimum) new target that may be provable from data. We need 
the target to be a minimum in order to avoid the infinite solutions 
produced by the type-raising rule. 

ii. If we have certainty about target, and the set of closed data does 
not prove it, we remove data, by means of re-typing the necessary 
lexical items, in such a way that the target becomes provable from 
these new data. 


96 Antonio Frias Delgado and Jose Antonio Jimenez Millan 


iii. If we have certainty about data and about target, we could consider 
the sequence as a linguistic phaenomenon that falls beyond a context 
free grammar, ellipsis, etc. 

In both cases (b.i) and (b.ii) we can appropriately say that we learn new 

syntactic uses. Moreover, in case (b.ii) we carry out a revision of the 

lexicon. 

2. An open sequent is related to discovery tasks. In a sense, every discovery 
task is also susceptible of being considered as a learning one (or vice versa). 
However, we would rather prefer to differentiate them by pointing out that 
they are based on formal features of the sequents. 


3.2. The Abductive Mechanism 


The objectives we pointed out above need the parsing algorithm —hereafter, 
LC— to be enlarged using an abductive mechanism —hereafter, ACG, Abduc- 
tive Categorial Grammar— for handling open sequents and removing types if 
necessary. ACG manages: 

(i) input sequences either from corpora or users; 

(ii) information contained in the lexicon; 

(iii) data transfer to LC; 

(iv) input adaptation and/or modification, if necessary; 

(v) output of LC; 

(vi) request for a choice to the user; 

(vii) addition of new types to the lexicon —its update. 

What we have called an abductive mechanism has to do with the point (iv) 
most of all. We sketch only its main steps for taking into account the learning 
and discovery processes. Similarly to the parsing algorithm (2.3.), we present the 
procedure in a pseudo-prolog fashion. 


procedure learning 
input: (data > target)(A) 

such that Fro data => target, closed(data), closed(target) 
output: substitution {A := B} 

such that / rc (data > target){A := B} 


process: 
CASE certainty_about_target: 
LET [Aj,... , An] := data 
FOREACH A; € [A1,... , An] DO 
LET new-data := |... , Aj-1, Xi, Aisi, ---] 
{X; := B;} := discovering new_data > target 
END FOR 


RETURN {.A; := Bi,... , An := Bn} 
CASE certainty_about_data: 
{X := B} := discovering data > X 
RETURN {A := B} 
END procedure learning 
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procedure discovering 
input: (data > target)(X) 
output: {X := B} 
such that /rc (data > target){X := B} 
process: 
CASE open-_target: data > X 
IF data = [B] 
THEN RETURN {X := B} 
IF data = [Fi,... , Fr] 
THEN FOREACH F;(1<i<n), F, ¢ BASCAT, DO 
LET c; := search_value(F;) 
{Y;* := Bi, ZF := Ci} := new_proof Y,*, data, Z} > c; 
END FOR 
RETURN {Xi = By\a/Ci, see yy = By\cn/Cr} 
CASE open_data: data(X1,...,Xn) => target 
IF data = [X] 
THEN RETURN {X := target} 
FOREACH X;(1 <i <n) DO 
LET (Fi, ae Re eee Xi, Fyai, see Fi] := data 
LET c := target 
LET new-_data := [Fi,... ,Y*\c/Z*,... , Fn] 
{X; := B;\c/Ci} := new_proof new_data => target 
END FOR 
RETURN {X 1 := By\c/Ci,... , Xn := Bn\c/Cn} 
END procedure discovering 


3.3. Remarks on ACG 


The old proof procedure (2.3) has to be adapted to a new_proof one. To achieve 
this goal, we make two main changes: (a) the old proof procedure was built to 
work with closed sequents and now it should be able to deal with open ones; 
(b) the old proof procedure was initially designed to return a proof tree but it 
should now return the substitution that makes the open sequent provable. 

The old proof algorithm may work with open sequents, behaving as an ab- 
ductive mechanism, if we consider the (=) operator as unification. It is well 
known that the unification algorithm produces the substitution we are looking 
for. 

Two major changes come (a) from the search_value(c in data) procedure, 
and (b) from the reduce procedure. 

(a) The search_value procedure was considered to be self-evident, but now 
it needs further explanations inasmuch as unknown data or targets are present. 
What does it mean a value occurrence of X in Y? We will discuss the change in 
the process that considers a formula to be the main value of another one. 


procedure search_value 
input: (Formula from data, target formula) 
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output: ([right_argument_path],target formula, |left_argument_path]) or FAIL 
CASE closed data (£) and closed target (c): 
CASE F = c: RETURN ([],c,[]) 
CASE F = B\A: RETURN ([B] +7, c, 6) 
where (7, c,6) := search_value(A, c) 
CASE F = A/B: RETURN (7, c, [B] + 6) 
where (7, c,6) := search_value(A, c) 
OTHERWISE RETURN FAIL 
CASE closed data (£’) and open target (X): 
CASE F' = c: RETURN X :=c 
CASE F = B\A: RETURN STACK F 
WITH search_value(A, c) 
CASE F = A/B: RETURN STACK F 
WITH search_value(A, c) 
CASE open data (Y) and closed target (c): RETURN ([], Y :=,|]) 
OTHERWISE RETURN FAIL 
end procedure search_value 


(b) Unknown categories may be either basic or complex ones. A treatment of 
the second case is rather difficult and it forces us to introduce constraints for 
bounding the search. We have to decide the upper bound of the complexity; 
i.e. X may be A\c/B, or A,\A2\c/Bi/Bo, etc. The reduce procedure requires 
some adaptations for working with optional categories. Optional categories are 
matched only if they are needed in the proof. 


CASE X* in target: 
IF data = [| 
THEN X* := [] 
ELSE X* := X 
CASE X* in data 
IF target = [] 
THEN X* := [] 
ELSE 
LET [Fy,...,X*,..., Fr] := data 
IF proof [F\,... , Fy] > target # FAIL 
THEN X* := [] 
ELSE X*:= new_proof [Fi,...,X,..., Fn] = target 


Finally, let us note that type-raising rules yield sequents like following: A > 
X/(A\X) or A = (X/A)\X —where A and X are whichever formulae— that are 
provable in LC. The basic (deductive) proof algorithm is complete and has no 
problem with the proof of such sequents, although some LC parsing algorithms in 
the literature (mainly natural deduction based ones) are not complete because 
of the type-raising rules are not provable in them. Regarding our new_proof 
algorithm, the problem arises when it works as an abductive process in which 
X, the target consequent, is unknown; then it may be regarded as atomic or as a 
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complex one. To regard it as atomic —our choice— causes no trouble but makes 
the type rising rule not provable (if the consequent is unknown). If we consider 
the possibility of an unknown consequent to be complex, then it may yield an 
endless loop. In fact, the type raising rule allows us to infer an endless number 
of more and more complex types. 


3.4 Running ACG 


Example 1: 

Data: “John loves”. 

Initial state of the lexicon: 

John = np 

loves = np\s/np 

Sketch of the abductive process: 

(1) proof (np, np\s/np => s) = FAIL 


(2) Certainty about data: 

(2.1) np, np\s/np > X 

(2.2) X := Y*\s/Z* 

(2.3) Y*, np, np\s/np, Z* > s 
(2.4) Y*,np => np; Z* mae 

(2.5) Y* :=[]; Z* := np; X := s/np 
Output 


e John loves = s/np 
(3) Certainty about target: 


(3.1) X,np\s/np => s 
(3.2) X := s/Y* 

(3.3) np\s/np => Y* 
(3.4) Y* := np\s/np; X := s/(np\s/np) 
Output 

e John = s/(np\s/np) 
(3.5) np, X > s 

(3.6) X :=Y*\s/Z* 
(3.7) np, Y*\s/Z* => s 
(3.8) wy => Y*; 

(3.9) Y* := np; Z* = [] 
(3.10) X := np\s 
Output: 


e loves = np\s 
(4) Certainty about data and target: 


Output: 
e John loves = np, np\s/np, > s. 
Example 2: 


Data: “someone bores everyone”. 
Initial state of the lexicon: 
someone = ? (unknown) 

bores = np\s/np 
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everyone = ? (unknown) 
X,np\s/np, Z => s 

Sketch of the abductive process: 
(1)X := 8/Y*; s/Y*,np\s/np,Z => s 


( 

(1.2) Yr = YN\s/Y3 

(1.3) Yi, np\s/np, Z, Ys > s 
(1.4) Yi > np 

(1.5) Z, Ys° > np 

( 


e someone = s/(np\s) 

e everyone = np 

(2) X > np; Z > np 

(2.1) X := np; Z:= np 

Output: 

e someone = np 

(3) Z:= Y*\s; X,np\s/np, Y*\s > s 
(3.1) X,np\s/np > Y* 

(3.2) Y* := Yj"\s/Y# 

(3.3) Y"*, X,np\s/np, Yo > s 

(3.4) Yj',X => np 

(3.5) YS => np 

(3.6) Yj" := []; X := np; Yo" = np 
Output: 

e everyone = (s/np)\s 

State of the lexicon after runing ACG: 
someone = np, s/(np\s) 

bores = np\s/np 

everyone = np, (s/np)\s 
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Abstract. We present a representation scheme for the declarative for- 
malization of strategies for action selection based on the situation calcu- 
lus and circumscription. The formalism is applied to represent a number 
of heuristics for moving blocks in order to solve planning problems in the 
blocks world. The formal model of a heuristic forward chaining planner, 
which can take advantage of declarative formalizations of strategies for 
action selection, is proposed. Experiments showing how the use of declar- 
ative representations of strategies for action selection allows a heuristic 
forward chaining planner to improve the performance of state of the art 
planning systems are described. 


1 Introduction 


Interesting research is being done lately on improving the performance of do- 
main independent planners using declarative representations of domain knowl- 
edge [1], [8], [24]. Domain knowledge can be represented in a number of different 
forms, such as task decomposition schemas [29], search control knowledge [1], 
or heuristics for action selection [25]. This paper builds on previous work on 
the declarative formalization of strategies for action selection [25], describing its 
application to improving the performance of a forward chaining planner. 

The idea is to use heuristics for action selection (such as “if a block can be 
moved to final position', this should be done right away”) to circumscribe the 
set of situations that should be considered by a planner to those situations that 
are selectable according to a strategy for action selection. We use a declarative 
formalization of strategies for action selection that allows refining the action 
selection strategy used by a planner (and, therefore, to prune its search space) 
by simple additions of better heuristics [19]. The incorporation of this idea to 
a forward chaining planner leads to the notion of a heuristic forward chaining 
planner, which can use declarative representations of action selection strategies 
to reduce considerably the size of its search space. We present the declarative 
formalization of an action selection strategy for the blocks world in section 4, 


' In the blocks world, a block is in final position if it is on the table and it should be 
on the table in the goal configuration, or if it is on a block it should be on in the 
goal configuration and that block is in final position. 
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and we show how the planner can use this strategy for solving a number of blocks 
world problems. 

The paper is organized as follows. Section 2 presents a formal model of a sim- 
ple forward chaining planner. Section 3 introduces and formalizes the concept 
of a heuristic forward chaining planner, which can use declarative representa- 
tions of action selection strategies. Section 4 describes a representation scheme 
for the declarative formalization of action selection strategies proposed in [25]. 
Section 5 compares our approach to related work on the use of the declarative 
representations of domain knowledge for planning. Section 6 describes some ex- 
periments comparing the performance of our heuristic forward chaining planner 
and TLPlan [1]. Finally, section 7 summarizes our main contributions. 


2 Forward Chaining Planner 


We begin with the formal description of a forward chaining planner which ex- 
plores the space of possible situations, i.e., the set of situations generable by 
applying executable sequences of actions to the initial situation, until it finds a 
situation that satisfies the goal conditions. The planner uses a bounded depth 
first search strategy to explore the space of situations. 

The formal model of the forward chaining planner, presented below, is based 
on a formalization of STRIPS [5] in the situation calculus described in [21]. 
Associated with each situation is a database of propositions describing the state 
associated with that situation. The predicate DB(f, s) asserts that propositional 
fluent f is in the database associated with situation s. Each action is described by 
a precondition list, an add list, and a delete list, which are formally characterized 
by the following predicates: (1) Prec(f,a) is true provided proposition f is a 
precondition of action a; (2) Del(f,a) is true if proposition f becomes false 
when action a is performed; (3) Add(f,a) is true if proposition f becomes true 
when action a is performed. The function Result maps a situation s and an 
action a into the situation that results when action a is performed in situation 
s. When an action is considered, it is first determined whether its preconditions 
are satisfied (axiom 1). If the preconditions are met, then the sentences on the 
delete list are deleted from the database, and the sentences on the add list are 
added to it (axiom 2). 

We assume uniqueness of names for every function symbol, and every pair of 
distinct function symbols*. The constant symbols So and S, denote, respectively, 
the initial and goal situations. The predicate Goal(s) is true provided situation s 
satisfies all the conditions that are true at the goal situation S,. The expression 
S <, 8; means that s; can be reached from s performing a nonempty sequence 
of executable actions. We introduce an axiom of induction for situations that 
allows us to prove that a property holds for all the situations. This axiom also 
constrains the domain of situations to those that can be reached (<,.) from the 
initial and goal situations [23]. 


? The symbols h and g are meta-variables ranging over distinct function symbols; « 
and y denote tuples of variables. 
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The expression 5; <q S2 is true provided situations s; and sz can be both 
reached from So (or can be both reached from S,), and situation s; will be found 
earlier than situation s2 if the tree of situations reachable from So (respectively, 
from S,) is explored using a depth first search strategy (<aipn denotes the al- 
phabetic order). Finally, an action sequence p is the solution returned by the 
planner if the situation resulting from performing p in the initial situation sat- 
isfies the goal conditions and it is minimal with respect to the search strategy 
of the planner. The constant K is a natural number that corresponds to the 
maximum depth explored by the bounded depth first search strategy used by 
the planner. 

Poss(a,s)  Vf(Prec(f,a) + DB(f,s)) 
DB(f, Result(a, s)) @ Poss(a,s) A (Add(f,a) V (DB(f,s) A aDel(f, a))) 
Va, y(h(x) = hy) > #=y); Va, y(h(x) 4 g(y)) 
Goal(s) + Vf (DB(f, $9) -* DBC J, s)) 
Vs(-8 <; So) AVs(-8 <7 Sg) AVa,s,81(8 <> Result(as1) 9 Poss(asi)As<,rs1) (5 
VP(P(So0) A P(S,) A Vs, a(P(s) A Poss(a,s) + P(Result(a, s))) - VsP(s)) 
81 <af 82 $1 <, 82 VJa,b,8(a Xaipn bA Result(a, s) <, $1 Result(b, 8) <, 82) 
Length(So) = 0A Length(S,) = 0A Length(Result(a, s)) = 1+ Length(s) 
Vs(Result((],s) = s) A Va, p, s(Result(|alp],s) = Result(p, Result(a, s))) 
Sol(p) — As(s = Result(p, So) A So <r 8 A Goal(s) A Length(s) < KA (10 
V¥s1(So <r $1 A Goal(s1) A Length(s) < K — s <ap 81)) 


The axiom set Tro = {1,..., 10} is our formal model of a forward chaining 
planner. 


2.1 Blocks World Example 


We present now a formal model of the sort of information that must be commu- 
nicated to the forward chaining planner to solve a planning problem. This in- 
formation can be divided into domain dependent information (the precondition, 
add and delete lists of the available actions), and problem dependent information 
(the states associated with the initial and goal situations). 

The variables x, y and z range over blocks. The constants A, B, C, and T 
(for Table) are of the sort block. The function symbol On maps a pair of blocks x 
and y into the propositional fluent On(a, y) describing the fact that block x is on 
block y. The function symbol Clear maps a block x into the propositional fluent 
Clear(a) describing the fact that there is space on block z to place another block. 
We include a domain closure axiom for blocks. The initial and goal configurations 
are described by axioms 15 and 16. The function symbol Move maps a triple 
of blocks x, y and z into the action Move(,y,z) denoting the act of moving 
block x from y to z. The precondition, delete and add lists of Move(z, y, z) are 
as follows. 


Prec(f, Move(a, y, z)) << f =Clear(x)V f=On(a,y)V(z4T— f =Clear(z)) (11) 
Del(f, Move(az,y, z)) @ f = On(a,y) V (2 #T — f =Clear(z)) (12) 
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Add(f, Move(z,y,z)) @ f = On(x,z) V (yAT — f =Clear(y)) (13) 

Va(a=AVa=BVx=CVa=T) (14) 

DB(f, So) @ Az, y((f = On(a,y) A ((a@ =AAY=T)V(t=BAy=T)V (15) 
(a=CAy=A)))V (f = Clear(a) \ (a = BV x=C))) 

x,y(f = On(az,y)A\ ((@ =AAY=B)V(x=BAL=C)V (16) 
(e=CAy=T))) 


Ww 


DB(f, Sq) are 


The axiom sets Tgwi = {11,...,13} and Tp; = {14,...,16} constitute our 
formal models of the blocks world domain and the problem known as Sussman’s 
anomaly, respectively. 


3 Heuristic Forward Chaining Planner 


A heuristic forward chaining planner is a forward chaining planner that explores 
the space of selectable situations, rather than the space of possible situations. 
Selectable situations are those that can be generated by applying sequences of 
selectable actions to the initial situation. A heuristic forward chaining planner 
needs information that goes beyond the classical specification of a planning prob- 
lem. In particular, it needs to know what actions are selectable at a particular 
situation. 

In the following section, we address the issue of how a user can specify such 
information. Let’s assume, for a moment, that the user supplies a definition of the 
predicate Sel(a, s), which is true provided action a can be selected at situation s, 
along with the specification of a planning problem. Then, the only modification 
that we need to make to the formal model of the forward chaining planner Trc 
in order to obtain the formal model of the heuristic forward chaining planner 
Turc is to replace the predicate Poss by the predicate Sel in axiom 5°. 


4 Declarative Formalization of Strategies for Action 
Selection 


In [25], we proposed a representation scheme for the declarative formalization 
of strategies for action selection based on the situation calculus [18] and circum- 
scription [20]. The idea is to represent strategies for action selection as sets of 
action selection rules [7]. An action selection rule is an implication whose an- 
tecedent is a formula of the situation calculus, and whose consequent can take 
one of the following forms: Good(a, s), Bad(a,s) or Better(a, b, s). The intuitive 
interpretation of these predicates is that performing action a at situation s is 
good, bad, or better than performing action b. 

The following action selection rules describe some heuristics for determining 
what blocks should be moved in order to solve planning problems in the blocks 


3 This replacement redefines the reachability relation <, as follows: s1 <, s2 is true 
provided sz can be reached from s; by performing a sequence of selectable actions. 
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world: (1) If a block can be moved to final position, this should be done right 
away (axiom 17); (2) If a block is not in final position and cannot be moved to 
final position, it is better to move it to the table than anywhere else (axioms 18); 
(3) If a block is in final position, do not move it (axiom 19); (4) If a block is 
above another block it ought to be above but it is not in final position (i.e., it is 
in tower-deadlock position), put it on the table (axiom 20). 


=Holds(Final(x),s) \ Holds(On(a, y),s) \ Holds(On(a,z),Sg) \(z=TV_ (17) 
Holds(Final(z),s)) A Poss(Move(z, y, z), 8) + Good(Move(z, y, z), 8) 

—=Holds(Final(x), s) \ Holds(On(a, y), s) \ Holds(On(x,z),Sg)A (18) 
(4Holds(Final(z),s) V aPoss(Move(z,y, z),s)) \w #T > 
Better(Move(az,y,T), Move(z, y, w), s) 

Holds(On(a, y), 8) \ Holds(Final(x),s) + Bad(Move(z,y, z),s) (19) 

Holds(On(a, y), 8) \ Holds(T D(x), s) + Good(Move(x,y,T),s) (20) 


The predicate Holds(f,s) is true provided propositional fluent f is true at 
situation s. A block is in final position Holds(Final(x),s) if it is on the table 
and it should be on the table in the goal configuration, or if it is on a block 
it should be on in the goal configuration and that block is in final position. A 
block is in tower-deadlock position Holds(T D(x), s) if it is above another block 
it ought to be above but it is not in final position. Section 4.3 contains formal 
definitions of these symbols. 

A consistent set of action selection rules (such as $1 = {17, 18, 19, 20}) defines 
a strategy for action selection. 


4.1 Nonmonotonic Interpretation 


The formal semantics of a strategy for action selection Ts is given by INT(Ts) 
[25], the nested abnormality theory specified on the right hand side of formula 
22. Nested abnormality theories [16] extend simple abnormality theories [22] by 
allowing the specification of nested applications of the circumscription operator 
[20]. INT (Ts) characterizes the conditions under which an action is good or bad 
for a particular situation, by jumping to the conclusions that: (1) an action is 
“not good” unless the action selection rules in T's imply that it is good; and (2) an 
action is “not bad” unless the action selection rules in Ts, together with axiom 
21, imply that it is bad. Axiom 21 asserts that an action is bad for a particular 
situation if there exists a better action for the same situation. 


Better(a1, a2,s) — Bad(az, s) (21) 
INT(Ts) = {Better, min Bad: 21,{min Good: Ts}} (22) 


Formally, this is achieved as follows. First, the predicate Good is circum- 
scribed with respect to the conjunction of the universal closures of the axioms 
in Ty. Then, the predicate Bad is circumscribed with respect to the result of the 
circumscription of Good in Ts and the universal closure of axiom 21. Better is 
allowed to vary because minimizing the extension of Bad may affect (through 
axiom 21) the extension of Better. 
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This nonmonotonic interpretation of action selection strategies has both rep- 
resentation and computational advantages. It allows describing strategies: (1) 
succinctly, since it is not necessary to specify negative information (i.e., which 
actions are not good, not bad, or not better than others); (2) according to a least 
commitment policy, in which it is not necessary to assert that an action is good, 
bad, or better than other unless it is known for sure; and (3) incrementally, since 
it is possible to refine an action selection strategy by simple additions of better 
heuristics (i.e., consistent action selection rules that may become available later 
on). In these three cases, circumscription takes care of appropriately adapting 
its consequences to the lack of information or the availability of new relevant 
facts. 

The following formal result establishes some conditions under which the in- 
terpretation INT(Ts) of a strategy for action selection Ts can be computed by 
a variant of Clark’s completion algorithm [4]. 


Proposition 1 If every axiom of Ts is a first order action selection rule such 
that its antecedent does not contain the predicates Good, Bad or Better, then 
INT(Ts) is equivalent to the conjunction of the first order sentences 23 and 24 
resulting from the application of the completion algorithm described bellow to 
Ts. 


Va, s(Good(a, s) + A%°°"(a, s)) (23) 
Va, s(Bad(a, s) @ A3**(a,s) V dar, a2(a = a2 A AS" (a1, a2, 8))) (24) 


Completion Algorithm Let Ts be a declarative formalization of a strategy for 
action selection. The axioms of Tg are all of the form A — P(ta,ts), where A is 
a first order formula which does not contain the predicates Good, Bad or Better, 
ta is a tuple of terms of the sort action, t, is a term of the sort situation, and P 
is one of the predicates Good, Bad or Better. 


Step 1 Replace each rule of the form A — P(ta,ts) in Ts by AAa=taAs= 
t, — P(a,s), where a is a tuple of new variables of the sort action, and s is 
a new variable of the sort situation. 

Step 2 Replace each rule A;(a,s) — P(a,s) obtained in the previous step by 

da A;(a,s) — P(a,s), where a are the free variables in the original rule. 

Step 3 For each P, replace all the rules of the form A}(a, s) + P(a, s) obtained 
in step 2 by a single rule of the form \/, A}(a,s) > P(a,s). 

Step 4 Replace the rule A%°°“(a, s) + Good(a, s) obtained in step 3 by 
Va, s(Good(a, s) @ A$°°“(a, s)). 

Step 5 Replace the rules A3*4(a,s) > Bad(a,s) and Ae" (a1, a2,8) > 
Better(a,, a2, s) obtained in step 3 by a single rule* of the form 
Va, s(Bad(a, s)  A$*4(a, s) V Jai, a2(a = ag \ Ae" (ay, a2, 8))). 


4 We assume the variables a, ai and ag of the sort action are distinct from each other. 
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Proof (Proposition 1) The semantics of nested abnormality theories is charac- 
terized by a map y that translates blocks® into sentences of a second order 
language. Proposition 1 in [16] allows us to describe the semantics of the nested 
abnormality theory [NT(Ts) as the following circumscription formula®. 
p({Better, min Bad: 21, {min Good: Ts}}) = 
CIRC(21', CIRC(Ts; Good); Bad; Better) 


We use several rules for computing circumscription described in [15]. Formula 
(19) and proposition 2 in [15] allow us to prove the following equivalence. Formula 
23 is the first order characterization of the predicate Good obtained in step 4 
of the completion algorithm, Taq is the conjunction of the universal closures 
of the action selection rules of the form A — Bad(ta,ts) in Ts, and TBetter is 
the conjunction of the universal closures of the action selection rules of the form 
A— Better(ta,ts) in Ts. 

CIRC(Ts; Good) = 23 A Tgaa A TBetter 


The equivalence above, together with formula (19) and proposition 3 in [15] 
allow us to simplify INT (Ts) as follows. Tyetter is the second order formula 
obtained from Teetter by substituting every instance of the predicate constant 
Better by a similar predicate variable better. 

CIRC(21', CIRC(Ts; Good); Bad; Better) = 
CIRC(21',23 \ Tgaa A Tpetter; Bad; Better) = 
23 \ CIRC(Tpaa, Abetter(21' A Thetter); Bad) 


Using equivalence (27) in section 3.2 of [15], we can prove that Sbetter(21' A 
Toetter) is equivalent to the following formula which does not depend on better. 
Abeer (ay, a2,8), 41, @2, a and s are as described in step 5 of the completion 
algorithm. 


Va, s(Ja1, a2(a = az A AS" (a1, a2, 8)) + Bad(a,s)) (25) 


Finally, proposition 1 in [15] allows us to compute the result of circumscribing 
Tpad and 25 with respect to Bad. Formula 24 is the first order characterization 
of the predicate Bad obtained in step 5 of the completion algorithm. 


23 A CIRC(Thaa, 25; Bad) = 2324 q 


For example, the nonmonotonic interpretation [NT ($1) of action selection 
strategy S1 (described by action selection rules 17 to 20) can be computed by 
the completion algorithm. We show the result of the last step of the algorithm. 


Va,s(Good(as) - Aa,y,z(7H olds(Final(x),s)\ Holds(On(a,y),s) \Holds(On(2,z),Sg 
(z =T V Holds(Final(z),s)) A Poss(Move(z,y,z),s) \a = Move(a,y,z))V 

da,y(Holds(On(x, y),s) A Holds(T D(x), s) Aa = Move(z,y,T))) 

Va,s(Bad(a, s) @ Ax,y,z(Holds(On(x,y),s) \Holds(Final(x),s)\a=Move(x,y,z))V 

da1,a2(a=a2A4a,y,2z,w(-Holds(Final(x),s)\ HoldsOn(a,y),s)\ HoldsOn(a,z),Sg 

(4Holds(Final(z),s) V 7Poss(Move(z,y, z),s)) \w AT A a1 = Move(a,y,T)A 

az = Move(z,y,w)))) 


° Blocks are the equivalent of axioms in nested abnormality theories (see [16]). 
° In the following, we denote the universal closure of a formula A by A’. 
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These two formulas characterize the conditions under which a move is good 
or bad for a particular situation according to strategy for action selection $1. 


4.2 Mechanism for Action Selection 


The interpretation of an action selection strategy gives us a characterization of 
the conditions under which an action is good or bad for a particular situation. 
Suppose the user supplies, along with an action selection strategy, a theory of 
action that allows the planner to determine whether these conditions hold or not 
for a particular situation. Then, the planner could infer what actions are good 
or bad for every situation, and use that information to determine what actions 
should be selected. 

The following axiom characterizes the set of selectable actions for a particular 
situation. The predicate Poss(a,s) is true provided action a can be executed at 
situation s (axiom 1). 


Sel(a,s) <— Poss(a,s) A (Good(a, s) V (n5bGood(b, s) \ sBad(a, s))) (26) 


According to the action selection mechanism described by axiom 26, an action 
is selectable at a particular situation if it is executable and good for that situation, 
or if there are no good actions for that situation and it is executable and not 
bad for that situation. 


4.3. Blocks World (Continuation) 


In order to interpret action selection rules, such as axioms 17 to 20, in terms of 
the theory of action described in section 2, we need to establish a connection 
between what holds at a situation and what is in the database associated with 
that situation. In this paper, we assume that the state associated with any 
situation can be described in terms of the truth values of a finite set of frame 
fluents [18] [14]. The rest of the fluents, called defined fluents, are described in 
terms of the frame fluents. The database associated with a situation determines 
the truth values of the frame fluents as follows: a frame fluent holds at a particular 
situation if and only if it is in the database associated with that situation. 


Frame(f) — (Holds(f,s) ~ DB(f,s)) (27) 


The frame fluents for the blocks world are those of the form On(a,y) or 
Clear(x). In addition to frame fluents, we use a number of defined fluents, such 
as final, above’, and tower-deadlock. 


” If we assume uniqueness of names, a complete characterization of the predicate DB 
for the initial and goal situations, an axiom of induction for situations, and that there 
is only a finite number of blocks (as we do), the definitions of Holds(Final(z), s) 
and Holds(Above(x,y),s) provided allow us to characterize the extensions of these 
formulas. 
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Frame(f) @ dx,y(f = On(a,y) V f = Clear(x)) (28) 

Holds(Final(x), s) - (Holds(On(a,T), s) \ Holds(On(x,T), Sg))V (29) 
dy(Holds(Final(y),s) A Holds(On(a, y),s) A Holds(On(za, y), Sg)) 

Holds(Above(x,y), 8) @ Holds(On(a, y), s) V dz(Holds(On(z, z), s)A (30) 
Holds(Above(z, y), s)) 

Holds(T D(x), s) @~ aHolds(Final(x),s) A dy(y 4 TA (31) 
Holds(Above(a, y), 8) \ Holds( Above(x, y), Sq)) 


Tew = Tewil{27,...31} is our extended theory of action for the blocks 
world. Let T's be the set of axioms INT(S1) U{26} U Taw. Ts1 is a formal model 
of the action selection strategy for the blocks world described at the beginning of 
this section. We can use this axiom set to simulate the behavior of the heuristic 
forward chaining planner when it is given the description of Sussman’s anomaly 
problem Tp; along with the strategy for action selection T’5;. For example, if 
the constant K (maximum depth explored by the bounded depth first search 
strategy) is equal to 3, we can prove that the heuristic forward chaining planner 
only needs to explore 3 situations before finding the optimal solution (shown 
below). 


Turco |JTs1|JTri + Sol({ Move(A, C,T), Move(B, T,C), Move(A,T, B)}) 


Sel(a,S0) <=> Sel(a,S1) <=> Sel(a,S2) <=> 
a=Move(C,A,T) a=Move(B,T,C) a=Move(A,T,B) 
"* ty « \ * ay 
7 if : “4 7 é : “a 7 y . “4 be 
Cc B B 
A| |B AN 3 LC A Cc C 
INITIAL Sl 82 GOAL 


Fig. 1. Heuristic forward chaining planner using action selection strategy S11 for 
solving Sussman’s anomaly problem. There is a single selectable action for every 
situation. 


The reason for which the planner only needs to explore three situations be- 
fore finding an optimal solution is the following. In the initial situation So, 
block C' can be moved to final position. Action selection rule 17 implies that 
Move(C,A,T) is a good action. Blocks A and B are not in tower-deadlock po- 
sition and cannot be moved to final position, therefore there are no other good 
actions for the initial situation. Thus, the action selection mechanism (axiom 
26) implies that Move(C, A, T) is the only selectable action for So. 

Let S) be Result(Move(C, A, T), So). Block B can be moved to final position 
in S;. The rest of the blocks are not in tower-deadlock position and cannot be 
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moved to final position. Therefore, Move(B,T,C) is the only good and thus 
selectable action for $4. 

Let Sz be Result({ Move(C, A, T),Move(B,T, C)},So). Block A can be moved 
to final position in Sj. The rest of the blocks are in final position. Therefore, 
Move(A,T, B) is the only selectable action for $3. 

Result({Move(C, A,T), Move(B,T,C), Move(A, T, B)}, So) is the first situ- 
ation found by the planner that satisfies the Goal predicate. Therefore, axiom 10 
implies that the action sequence {Move(C,A,T), Move(B,T,C), Move(A,T,B)} 
is the solution returned by the planner. 


5 Related Work 


Various techniques have been used to exploit domain knowledge for planning. 
HTN (hierarchical task network) planners [29] use domain knowledge in the form 
of task decomposition schemas which goes beyond the specification of precondi- 
tions and effects of actions used by classical planners. Domain knowledge has also 
been expressed in the form of search control knowledge. In particular, knowledge 
bases of forward chaining rules have been used to guide search. SOAR was the 
first system to use this approach [17], and a refined version of it is a prominent 
part of PRODIGY [28]. A similar rule-based approach to search control has also 
been incorporated into UCPOP [2]. The main disadvantage of the rule-based 
approach used by these systems is that their search control rules are specified 
in terms of implementation details of their planning algorithms. This is not the 
case for the action selection rules presented in this paper, which are expressed 
in terms of domain knowledge only. 

In [11], a problem solver guided by negative heuristics (which tell a system 
what not to do) is described. The heuristics are specified in PROLOG, and relate 
the goal to the current state and anticipated action. They are designed to elimi- 
nate actions which clearly do not contribute to the goal. Four negative heuristics 
for the blocks world, which eliminate part of the search and are subsumed by 
axiom 18 in this paper, are proposed. 

In [24], a forward chaining planner, which uses a regression based theorem 
prover and an iterative deepening search strategy, is proposed. The planner 
requires the following types of information from the user: (1) a predicate goal(s), 
which is true if situation s satisfies the conditions of the goal for which a plan 
is sought; (2) a set of action precondition and successor state axioms for the 
primitive actions of the domain; and (3) a predicate badSituation(s), which is 
true if situation s is considered to be a bad situation for the planner to consider. 
The planner is implemented in GOLOG [13], and it has been extended to deal 
with concurrent actions and incomplete initial situations [6]. 

The representation scheme proposed in this paper is more expressive than 
those used in [11] and [24], in the sense that it allows the representation of positive 
heuristics (the predicate good tells a system what to do), and heuristics that 
establish preferences among actions (the predicate better establishes a partial 
order among actions). The predicate badSituation(s) allows pruning the search 
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space by characterizing those situations from which a successful plan cannot be 
reached, but it does not allow guiding the search in promising directions as the 
predicate good does in our formalization. 

The heuristics for the blocks world used in [6] prune approximately the same 
set of situations as action selection rules 17 to 19. In particular, the definition of 
good-tower is equivalent to our concept of final position. However, the heuristics 
in [6] do not consider the concept of tower-deadlock position, and therefore they 
cannot be used to discriminate between actions that move arbitrary blocks to 
the table (which are not necessarily optimal and can be postponed) and actions 
that move blocks in tower deadlock position to the table (which are necessary 
and should be executed right away). This is the meaning of action selection rule 
20. For example, the heuristics in [6] do not establish a preference between the 
actions Movetotable(d) and Movetotable(g) in the situation resulting from per- 
forming the sequence of actions {M ovetotable(m),M ovetotable(p),M ovetotable(n), 
Movetotable(f)} in the initial situation of the problem described in [6]. How- 
ever, if action Movetotable(g) is chosen the resulting plan contains one ac- 
tion more than the optimal plan. Action selection rule 20 allows characterizing 
Movetotable(d) as a good action, because block d is in tower deadlock position, 
and Movetotable(g) as a non bad action. 

Our planner has not been designed to solve planning problems with incom- 
plete initial situations. However, the declarative formalization of action selec- 
tion strategies proposed in this paper is adequate for dealing with open world 
planning problems [6]. For example, if we add the definitions of Final(z,s), 
Above(x,y,s) and TD(x,s) to the formalization of the blocks world presented 
in [6], action selection strategy Sp = {32,...,37} can be used for solving the 
open blocks world planning problem described in that paper®. 


=Final(x, s) \ On(x,y, Sg) A Final(y, s) ~ Good(Move(z, y), s) 
-=Final(x, s) \ Ontable(x, Sg) — Good(Movetotable(x), s) 
aFinal(x, s) A On(x,y, Sg) A (AF inal(y, s) V AzOn(z, y, s)) (34) 


Better(Movetotable(x), Move(x, w), s) 
Final(ax,s) + Bad(Move(z,y), s) (35) 
Final(x,s) + Bad(Movetotable(z), s) (36) 
TD(a,s) — Good(Movetotable(«), s) (37) 


In [1], a planning system called TLPlan, which uses first order linear temporal 
logic to represent search control knowledge, is described. This logic is interpreted 
over sequences of worlds. In particular, the goal and temporal modalities ((J until, 
O always, © eventually, and © next) are used to assert properties of world 
sequences. A search control formula describing the search control strategy to be 
used by the planner is specified by the user in this logic. This formula describes 


8 Some other changes to the formalization in [6] are required as well. For exam- 
ple, the definition of the predicate Goal(s) should be replaced by Goal(s) © 
adry(On(a,y, Sg) \ aOn(a, y, s)) A a5a(Ontable(x, S4) \ ~Ontable(x, s)). Axioms 
21, 26 and a new axiom describing the state associated with the goal situation S, 
should be added as well. Space limitations do not allow a more detailed explanation. 
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properties the sequences of worlds generated by applying successful plans to the 
initial situation should satisfy. The planner uses a progression algorithm which 
serves as the basis for an incremental mechanism that allows checking whether 
a plan prefix, generated by forward chaining, could lead to a plan that satisfies 
the search control formula. Interesting experiments in which TLPlan is shown 
to perform better than state of the art planners, such as BlackBox [10], IPP 
[12], SatPlan [9], GraphPlan [3], PRODIGY [28] and UCPOP [2] in various test 
domains using search control formulas are described. 

TLPlan is an interesting example of a heuristic forward chaining planner, in 
which search control knowledge is expressed in terms of properties the sequences 
of worlds generated by selectable plans (rather than actions) must satisfy. The 
last search control formula used for the blocks world in [1] prunes approximately 
the same set of situations than the first three action selection rules of $1 (the 
action selection strategy proposed in section 4 of this paper). In particular, their 
definition of good-tower is equivalent to our concept of final position. 

An advantage of our proposal is the availability of a formal model of the 
planner which allows limited forms of meta-reasoning, such as determining the 
correctness, redundancy, inconsistency or quality of different strategies for action 
selection. This is an important feature that may allow the planner to reject 
incorrect strategies, and to provide its users with feed back on how to improve 
their strategies. This is not possible in TLPLAN, because it does not have a 
formal description of its own mechanism for action selection which allows it to 
reason about the consequences of adopting a particular strategy. 


6 Experiments 


We have implemented a heuristic forward chaining planner which can use declar- 
ative representations of planning domains and strategies for action selection in 
Prolog. The planner has been applied to solve some blocks world problems using 
S1, the strategy for action selection described in section 4. The first problem set 
(shown in table 1) consists of 10 randomly generated blocks world problems of 
25 blocks. The second problem set (shown in table 2) consists of 6 blocks world 
problems of different sizes. The sizes of the problems are specified in the first 
column of table 2. For each problem, we have computed the number of blocks 
that are initially in final and tower deadlock positions (columns Final and TD). 

The numbers in the columns Steps, Nodes, and Time correspond to the num- 
ber of steps of the plans found by our planner, the number of situations (nodes) 
explored, and the time in milliseconds spent on planning. 

We have compared our results with those obtained from running the same 
problems in TLPlan. The numbers in the columns Steps TLPlan, Nodes TL Plan, 
and Time TLPlan correspond to the number of steps of the plans found by 
TLPlan, the number of situations (nodes) actually explored, and the time in 
milliseconds taken by TLPlan. 

In order to make a fair comparison, we have discounted one from the num- 
ber of nodes explored by TLPlan, because we do not count the initial situation. 
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It should be noted as well that we have used the domain definition and control 
strategy in LinearBlocks World. tip (see http: //www.uwaterloo.ca/~fbacchus). In 
this domain definition, the four actions (pickup(x), putdown(x), stack(x,y), un- 
stack(x,y)) are used to model the dynamics of the blocks world. We have used a 
single action Move(z,y,z), which corresponds to two TLPlan actions. Therefore, 
the plans obtained by TLPlan should be twice as long as ours, and the number of 
nodes explored 2n +1, where n is the number of nodes explored by our planner. 
The formulas we have used to compute the numbers shown in the columns Steps 
TLPlan and Nodes TLPlan are s/2 and (a — 1)/2, respectively, where s is the 
number of steps of the plans found by TLPlan, and x is the number of nodes 
actually explored by TLPlan. 

Comparing the numbers in the columns Steps and Steps TLPlan, it can be 
observed that TLPlan cannot find optimal plans (i.e., with a minimum number 
of steps) for 10 of the 16 problems posed. Our planner obtains optimal plans for 
the 16 problems. As far as planning time is concerned, our planner is faster than 
TLPlan. The only exceptions are the problems of sizes 15 and 19. However, the 
numbers of steps of the plans found by TLPlan are very far from optimality, 18 
and 25 steps versus 14 and 18 steps for the optimal plans. 


Table 1. Problems of 25 blocks. 
Prob Final TD Steps Nodes Time _ Steps Nodes Time 
TLPlan TLPlan TLPlan 
1 1 2 26 26 0 26 26 58 
2 0 1 [36] 36 0 38 38 91 
3 3 1 [23 | 23 0 25 25 58 
4 7 0 18 18 0 20 20 52 
5 7 2 20 20 0 20 20 46 
6 1 4 [28] 28 0 30 30 68 
7 1 6 30 30 0 37 37 91 
8 1 ie BF. 37 0 37 37 85 
9 i ee ee 0 29 29 68 
10 1 ie 31 31 50 32 32 84 
Table 2. Problems of different sizes. 
Size Final TD Steps Nodes Time Steps Nodes’ Time 
TLPlan TLPlan TLPlan 

5 2 0 [4] ia 0 5 5 4 

13 1 3 15 15 0 15 15 19 
15 2 0 274-320 18 18 26 
19 2 0 3583 5610 25 25 47 
25 5 1 22 29 50 22 22 51 
50 24 0 26 26 0 26 26 158 


The specification of the problems, the strategy for action selection, the Prolog 
code of the planner and the log files with the results of the experiments can be 
obtained from the author (jsierra@ii.uam.es). 
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7 Conclusions 


We have studied the use of declarative representations of action selection strate- 
gies for planning. First, we have presented a representation scheme for the declar- 
ative formalization of strategies for action selection, which has a number of ad- 
vantages. One of these advantages is the possibility of defining positive heuristics 
which can guide the search process in promising directions. The compositionality 
of our declarative representation of strategies for action selection is an impor- 
tant feature as well, since it allows refining an action selection strategy by simple 
additions of better heuristics. 

Then, we have proposed a formal model of a heuristic forward chaining plan- 
ner, which can take advantage of declarative representations of strategies for 
action selection. The availability of such a formal model not only shows the fea- 
sibility of our idea from a theoretical point of view, it also allows interesting 
forms of meta-reasoning about declarative formalizations of strategies for action 
selection, such as: (1) determining the correctness of a particular strategy (or a 
class of strategies) with respect to a given domain; (2) updating and composing 
strategic knowledge from different sources; or (3) determining whether a set of 
heuristics improve, are inconsistent or redundant with a particular strategy for 
action selection. 

Finally, we have implemented a heuristic forward chaining planner in Prolog 
and run some experiments in order to determine whether this is indeed a practical 
idea. The experiments have shown that a heuristic forward chaining planner 
using declarative representations of strategies for action selection can improve 
the performance of state of the art planning systems, such as Blackbox, IPP or 
TLPlan. 
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Abstract. We consider an algorithmic approach for revising inconsis- 
tent data and restoring its consistency. This approach detects the 
“spoiled” part of the data (i.e., the set of assertions that cause incon- 
sistency), deletes it from the knowledge-base, and then draws classical 
conclusions from the “recovered” information. The essence of this ap- 
proach is its coherence with the original (possibly inconsistent) data: 
On one hand it is possible to draw classical conclusions from any data 
that is not related to the contradictory information, while on the other 
hand, the only inferences allowed by this approach are those that do not 
contradict any former conclusion. This method may therefore be used 
by systems that restore consistent information and are obliged to their 
resource of information. Common examples of this case are diagnostic 
procedures that analyse faulty components of malfunction devices, and 
database management systems that amalgamate distributed knowledge- 
bases. 


1 Motivation 


In this paper we introduce an algorithmic approach to revise inconsistent infor- 
mation and restore its consistency. This approach (sometimes called “coherent” 
[5], or “conservative” [15]) considers contradictory data as useless, and uses only 
a consistent part of the original information for making inferences. To see the 
rationality behind this approach consider, for instance, the following set of propo- 
sitional assertions: 


KB = {p, ap, 7pVq, rT, 7rVs}. 


Since —p is true in KB, so is ~pVq (even if q is false), and so a plausible infer- 
ence mechanism should not apply here the Disjunctive Syllogism to p and =pV q. 
Intuitively, this is so since the information regarding p is contradictory, and so 
one should not rely on it for drawing inferences. On the other hand, applying 
the Disjunctive Syllogism to {r, >rVs} may be justified by the fact that this 
subset of formulae should not be affected by the inconsistency in KB, therefore 
inference rules that are classically valid can be applied to it. 


The two major goals of coherent approaches in general, and our formalism 
in particular, are therefore the following: 


M. Ojeda-Aciego et al. (Eds.): JELIA 2000, LNAI 1919, pp. 148-162, 2000. 
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a) Detect and isolate “spoiled” parts of the knowledge-base, i.e.: Remove from 
the knowledge-base subsets of assertions that cause inconsistency, 

b) Draw classical conclusions in a non-trivial way from any data that is not 
related to the contradictory information. Such inferences should be seman- 
tically coherent with the original data, that is: Only inferences that do not 
contradict any previously drawn conclusions are allowed. 


For achieving the goals above we consider an algorithmic approach that is 
based on a four-valued semantics [3,4]. Using a multiple-valued semantics is 
a common way to overcome the shortcomings of classical calculus (see, e.g., 
[3,6,7,12,13,14]), and as we shall see in what follows, four-valued semantics is 
particularly suitable for our purpose. 


A similar algorithmic approach for recovering stratified knowledge-base, 
which is also based on a four-valued semantics, was introduced in [1,2]. Here 
we generalize and improve that approach in the sense that we consider a better 
search engine, and provide and algorithm that recovers arbitrary knowledge- 
bases rather than only stratified ones. 


2 Background 


2.1 Belnap Four-Valued Lattice 


Our method is based on Belnap’s well-known algebraic structure, introduced 
in [3,4]. This structure consists of four truth values: the classical ones (t, f), a 
truth value (L) that intuitively represents lack of information, and a truth value 
(T) that may intuitively be understood as representing contradictions. These 
four elements are simultaneously ordered in two distributive lattices. In one of 
them, denoted by L4 = ({t, f, T, L}, <:), f is the <;-minimal element, ¢ is the 
<,;-maximal one, and L,T are two intermediate values that are incomparable. 
The partial order of this lattice may be intuitively understood as representing 
differences in the amount of truth of each element. In the other lattice, denoted 
by Aq = ({t, f, T, L}, <x), L is the <,-minimal element, T is the <,-maximal 
one, and t, f are two intermediate values. The partial order <, of this lattice 
intuitively represents differences in the amount of knowledge (or information) 
that each element exhibits. We denote Belnap four-valued structure together 
with its two partial orders by FOUR (see Figure 1). 

As usual, we shall denote the <;-meet and the <;-join of FOUR by A and 
V, respectively. In addition, we shall denote by — the involution operation on 
<,, for which >T=T and ~L=_L. 


2.2  Knowledge-Bases: Syntax and Semantics 


The language we use here is the standard propositional one, based on the propo- 
sitional constants t, f, T, ., and the connectives V, A, 7 that correspond, respec- 
tively, to the join, meet, and the negation operations w.r.t. <;. Atomic formulae 
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Fig. 1. Belnap lattice, FOUR 


are denoted by p, q, literals (i-e., atomic formulae or their negations) are denoted 
by 1, and complex formulae are denoted by w, ¢. Given a set S of formulae, we 
shall write A(S) to denote the set of the atomic formulae that occur in S, and 
L£(S) to denote the set of the literals that occur in S (A and £ denote, respec- 
tively, the set of atomic formulae and the set of literals in the language). The 
complement of a literal ] is denoted by I. An atomic formula p€.A(S) is called 
a positive (negative) fact of S if pe S (ape S). The set of all the (positive and 
negative) facts in S is denoted by Facts(S). 


The various semantic notions are defined on FOUR as natural generaliza- 
tions of similar classical ones: A valuation v is a function that assigns a truth 
value in FOUR to each atomic formula. Any valuation is extended to complex 
formulae in the obvious way. The set of the four-valued valuations is denoted by 
VY. A valuation v satisfies w iff v(w)€ {t, T}. t and T are called the designated 
elements of FOUR. A valuation that satisfies every formula in a given set S of 
formulae is a model of S. A model of S will usually be denoted by M or N. The 
set of all the models of S is denoted by mod(S). 


The formulae that will be considered here are clauses, i.e.: disjunctions of 
literals. The following useful property of clauses is easily shown by an induction 
on the structure of clauses: 


Lemma 1. Let 7 be a clause and v a valuation. Then v(¢) € {t, T} iff there is 
some 1E L(w) s.t. v(l) € {t, T. 


A finite set of clauses is called a knowledge-base, and is denoted by KB. 
As the following lemma shows, representing formulae in a clause form does not 
reduce the generality. 
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Lemma 2. [1] For every formula w there is a finite set S of clauses such that 
for every valuation v, v(w~)E{T, t} iff v(d) €{T, t} for every ES. 


Given a certain knowledge-base KB, we consider the <;,-minimal elements in 
mod(KB). These models reflect the intuition that one should not assume what 
is not really represented in KB. 


Definition 1. Let 1,12 €YV. 


a) 4 is k-smaller than v2 iff for every atom p, 1 (p) <p V2(p). 
b) v€mod(KB) is a k-minimal model of KB if there is no other model of KB 
that is k-smaller than v. 


Example 1. Consider the following knowledge-base: 


KB = {p, -q, 7pV q, 7PVh, gVrVs, qVarVnas, hVr, hV s} 


The (k-minimal) models of KB are given in Table 1 below. We shall use KB for 
the demonstrations in the sequel. 


The k-minimal models of KB will have an important role in the recovery 
process of KB. This may be justified by the fact that as long as one keeps 
the amount of information as minimal as possible, the tendency of getting into 
conflicts decreases. 


2.3. Recovered Knowledge-Bases 


Definition 2. Let ve V. Denote: I(v)={peEA | v(p)=T}. Usually we shall be 
interested in the assignments of v w.r.t. a specific knowledge-base. In such cases 
we shall consider the following set: I(v, KB)={p¢ A(KB) | v(p)=T}. 


As we have noted above, by “recovering a knowledge-base” we mean to turn 
it (in a plausible way) to a consistent one. That is: 


Definition 3. A valuation v is consistent if I(v)=@. A knowledge-base is con- 
sistent if it has a consistent model. 

Proposition 1. [1,2] A knowledge-base is consistent iff it is classically consis- 
tent. 


The recovery process is based on the following notion: 


Definition 4. A recovered knowledge-base KB’ of a knowledge-base KB is a 
subset of KB with a consistent model M’ s.t. there is a (not necessarily consis- 
tent) model M of KB, for which M’(p)=M(p) for every pe A( KB’). 
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Table 1. The (k-minimal) models of KB 


Model No. k-minimal 
M, L T t dh al + 
Mz —- M4 t am t if. fitel, 

Ms — M16 t li t fet eh feel 

Miz— Moa] t | To | TT [ise tied 

M33 Ti f ae t T + 
M3a ac f L il: t + 
aa 2 

M36 ak f f t T 

M37 — Mss} 7 f f T t, 7 

M39 T f t HE T + 
Mao a] f t f t + 
Mar ale f t f lp 

Ma3 T f t t “Ae 

Mus Toi t ai i r 
Mas — Maz sila f t T f,t, 7 

Mag ai f T lt T 

Mag — Ms0 f tT 

Ms1 — Ms2 ac f T it AT 

Ms3 — Ms6 ah f of BT 

Ms7 alt t t + 
Mss 

Ms 9 — Meo 

Me1 — Mea 

Mes — Mgo 

Msi — Moe sof t; Te t; 


Example 2. The set {p} is a recovered knowledge-base of KB, ={p, q, aq}, but it 
is not a recovered knowledge-base of KB2={p, —p}. This example demonstrates 
the fact that in order to recover a given inconsistent knowledge-base, it is not 
sufficient to find some of its (maximal) consistent subset(s), but it is necessary 
to ensure that the subset under consideration would semantically correspond 
to the original, inconsistent data; In our case, {p} does not recover KB even 
though it is a classically consistent subset of KB, just because of the fact that 
this set contradicts an information (—p) that is explicitly stated in the origi- 
nal knowledge-base. Therefore, the “semantical correspondence” property is not 
preserved in this case. 


' Keeping this “semantical correspondence” to the original information is one of the 
main differences between the present formalism and some other formalisms for restor- 
ing consistency (see, e.g., [5,6,9]). 


An Algorithmic Approach to Recover Inconsistent Knowledge-Bases 153 


Given an inconsistent knowledge-base KB, the idea is to choose one of its re- 
covered knowledge-bases and to treat this set as the relevant knowledge-base for 
deducing classical inferences. Next we show that the set of recovered knowledge- 
bases of KB may be easily constructed from the set of its models: 


Definition 5. Let vEV. The set that is associated with v is defined as follows: 
KB, = {WE KB | v(w)=t and Aj) NI(v, KB) =0}. 


The set AB, corresponds to the (maximal) fragment of KB that can be inter- 
preted in a consistent way by v. Elimination of pieces of “inadequate” informa- 
tion in order to get a more “robust” representation of the “intended” knowledge 
is a common method in belief revision and argumentative reasoning (see, e.g., 
[5,6,9]). 


Proposition 2. [1] Every set that is associated with a model of KB is a recov- 
ered knowledge-base of KB. 


Proposition 2 implies that usually there will be a lot of ways to recover a given 
inconsistent knowledge-base. By what we have noted above, plausible candidates 
of being the “best” recovered knowledge-base of KB would be those sets that 
are associated with some k-minimal model of KB.? 


Definition 6. A set SC KB is a preferred recovered knowledge-base of KB if 
it is a maximal set that is associated with some k-minimal model of KB. 


Example 3. Consider again the knowledge-base K6 of Example 1. In the nota- 
tions of Table 1, the subsets of KB that are associated with its k-minimal models 
are the following: 


KBu, ={p, ~pVh, hVr, hV s}, 

KBuzs = {79, hVr}, 

KBus = {79, hV 5}, 

KBog. = {79, hVT}, 

KBuy ={-4, VV PVs, qVa>rV7s, hVr, hV s}, 
KBuuz = {~4, qVrVs, qV7rv-7s, hVr, hv s}, 
KBu,, = {74q, hv s}, 

KBu,, ={hVr, hv s}. 


Thus, the preferred recovered knowledge-bases are KByy, and KBy,,=KBm,,. 


3 Recovery of Inconsistent Knowledge-Bases 


In this section we introduce an algorithm for recovering inconsistent knowledge- 
bases, and consider some of its properties. 


? See [2] for some other preference criteria for choosing recovered knowledge-base. 
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Definition 7. Let KB be a knowledge-base, and let v be a four-valued partial 
valuation defined on (a subset of) A(KB). The dilution of KB w.r.t. v (notation: 
KB |v) is constructed from KB by the following transformations: 


1. Deleting every w € KB that contains either t, T, or a literal 1 s.t. v(l) € {t, T}, 
2. Removing from every formula that remains in KB every occurrence of f, L, 
and every occurrence of a literal | such that v(l) Ee {f, L}. 


The intuition behind the dilution process resembles, in a way, that of the 
Gelfond-Lifschitz transformation [8]: Any data that has no effect on the rest 
of the process is eliminated. Thus, for instance, if a literal / in a formula w is 
assigned a designated value, then Lemma 1 assures that eventually 7 would also 
have a designated value, no matter what would be the values of the elements in 
L(w) \ {I}. Hence, these elements can be disregarded in the rest of the construc- 
tion, as indeed indicated by item (1) of Definition 7. The rationality behind item 
(2) of the same definition is similar. 


Figure 2 contains a pseudo-code of the recovery algorithm. * 4 As we show 
in Theorems 1 and 2 below, given a certain knowledge-base KB as an input, the 
algorithm provides the valuations needed for constructing the preferred recovered 
knowledge-bases of KB. 

It is easy to verify that the algorithm indeed halts for every knowledge-base. 
This is so since knowledge-bases are finite, and since for every set S of clauses 
and every partial valuation v on A(S), we have that A(S |v) CA(S). 


Example 4. Figure 3 below demonstrates the execution of the algorithm on the 
knowledge-base KB of the canonical example (1 and 3). In this figure we denote 
by p:a the fact that an atom p is assigned a value z. 

In the notations of Table 1, the two leftmost paths in the tree of Figure 3 
produce the k-minimal model Mj, and the other paths produce the k-minimal 
models M4 and My.° As noted in Example 3, these are exactly the models 
with whom the preferred recovered knowledge-bases of KB are associated. By 
Theorem 2, these are all the preferred recovered knowledge-bases of KB. 


Proposition 3. Let v be a four-valued valuation produced by the algorithm of 
Figure 2 for a given knowledge-base KB. Then v is a model of KB. 


Proof: Let 7 € KB. By Definition 7 and the specifications of the algorithm in 
Figure 2, it is obvious that at some stage of the algorithm 7 is eliminated from 


3 The first parameter of the first call to Recover is the dilution of KB w.r.t. the empty 
valuation. This is so in order to take care of the propositional constants that appear 
in KB (for instance, if pV f €¢ KB then pe KB| 9). 

* If the knowledge-base under consideration contains clauses that are logically equiv- 
alent to f or L (eg., fV1L), then in KB | @ such clauses will become empty. One 
can easily handle such degenerated cases by adding to the algorithm a line that 
terminates its execution once an empty clause is detected. 

> Later on we shall take care of the redundancy. 
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the set of clauses as a result of a dilution on this set. Note that a formula cannot 
be eliminated by successively removing every literal of it according to condition 
(2) of Definition 7, since the last literal that remains must be assigned a des- 
ignated value. Thus there must be some / € £(w) that is assigned a designated 
value. By Lemma 1, then, v(w)e€ {t, T}, and so v€mod(KB). 


input: A knowledge-base KB. 
Mods = Recover(KB|@, 0); 
do (VM € Mods) { 
KBy = {we KB | ~dp € A(KB) such that M(p) =T}; 
output (KBy) ; 
} 
procedure Recover(S,v) 
/* S = a finite set of clauses, yv = the valuation constructed so far */ 
{ 
if (S == 0) then return(v) /* v is a k-minimal model of KB */ 
pos = {pEA(s) | pes}; /* the positive facts in S */ 
neg = {pc A(S) | =peEs }; /* the negative facts in S */ 
if (pos Uneg == 0) { 
do (Vp €A(S)) { 
pick p; 
if (p €£L(S)) then Recover(S U {p}, v); 
if (4p €L(S)) then Recover(S U {=p}, v); 
} 
} 
do (Vp € (pos M neg)) { 
pick p; 
up) = T; 
S'=S lus; 
do (Vq#p such that q €A(S) \ A(S’)) 
u(q) = 1; 
Recover(S’, vU yp); 
} 
do (Vp € (pos Uneg) \ (pos neg)) { 
pick p; 
if (p € pos) then p(p) = t else w(p) = f; 
S=S8 |p; 
do (Vq#p such that q €A(S) \ A(S’)) 
u(q) = 1; 
Recover(S’, vU 1); 
} 
} 


Fig. 2. An algorithm for recovering knowledge-bases 
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{p, -q, -pV q, ~pVh, qVrV 8, qV7rVas, hVr, hV s} 


{h, hVr, hV s} {q, "a, aVrV s} p:T 


fy Va : : 
sil : {rVs, arV-7s, hVr, hv s} 


* = pruning 


(see below) 0 0 0 ) ) ) ) ) 


Fig. 3. Execution of the algorithm w.r.t. the canonical example 


The next proposition indicates that the valuations produced by the algorithm 
of Figure 2 assign designated truth values only to a minimal amount of literals 
(no more literals than what is really necessary for providing a model for KB). In 
a sense, this means that a minimal amount of knowledge (or belief) is assumed. 


Proposition 4. Let v be a four-valued valuation produced by the algorithm of 
Figure 2 for a given knowledge-base KB. Then v is a choice function on KB: 
For every wv € KB there is exactly one literal 1€ £(w) s.t. v(l) is designated. 
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Proof: The proof is by an easy inspection on the execution of the algorithm. 
Consider some wy € KB. Suppose that it is eliminated at the i-th inductive call 
to Recover. Then all the literals /€ £(¢)) for which v(l) is defined until the i-th 
recursive call to Recover has the property that v(/)=/f (otherwise 7 would have 
already been eliminated). Then there is some / € £(q) (which is chosen during 
the i-th execution of Recover), for which v(l) € {t, T}, and after the next dilu- 
tion ~ is eliminated, i.e.: all the rest of the literals in £(~) are assigned L. It 
follows, then, that every clause has a unique literal that is assigned a designated 
value by v. 


Here is another evidence to the fact that only a minimal knowledge is assumed 
by the valuations produced by our algorithm: 


Theorem 1. Let v be a four-valued valuation produced by the algorithm of 
Figure 2 for a given knowledge-base KB. Then v is a k-minimal model of KB. 


Proof: First, by Proposition 3, v is a model of KB. It remains to show, then, 
that v is a k-minimal among the models of KB. For that consider the following 
set of knowledge-bases: 
KBo = KB\0,  KBisi = KB; |v; 

where 1, (t > 0) is the partial valuation determined during the i-th recursive 
call to Recover.® Now, let us first assume that there is at least one (positive or 
negative) fact in KB (i.e., there is a literal ]<¢ £(KB) s.t. l|€ KB). We show that 
y is a k-minimal model of KB by an induction on the number n of the recursive 
calls to Recover that are required for creating v. 


— n=0: vp may assign T only to a literal J s.t. 1¢ KB and 1€ KB, while all the 
other elements in A(KB) are assigned L. In this case T is the only possible 
value for 1, and so v is k-minimal. The same argument is true for any literal 
lst. 1€KB and1¢KB (for that 1, v(1)=t). It is also obviously true for all 
the literals that are assigned L. 

—n2>1: Let M be a model of KB. We show that M <; v. Let M, be the 
reduction of M to A(KB,), and suppose first that MM, is a model of KB. By 
the induction hypothesis 1; is a k-minimal model of KB , thus there exists 
p€ A(KB)), s.t. Mi(p) £,1(p), therefore M <4; v. The other possibility is 
that My, is not a model of KB,. In this case there must be a clause y1 € KB, 
s.t. Mi(wv1) Z {t, T}. Since M is a model of KB, then by Lemma 1 there is 
aweéKB and an le L(y) s.t. M(l) € {t, T}, and {0} U L(1) C L(y). But 
then v(l) Z {t, T} (Otherwise, w is eliminated in the dilution of KB and so 
w1 € KB), while M (1) € {t, T}. It follows that M(l) 4, (J), therefore M <,v 
in this case also. 


To conclude, it remains to handle the case where there are no facts in KB. 
In this case our algorithm operates on KB’ = KBU{I} for some | € L(KB). 


° Thus, if the algorithm terminates after n recursive calls to Recover, then v= Vi. 


158 Ofer Arieli 


But now there is a fact in KB’, and so by what we have shown above our al- 
gorithm produces a k-minimal model for KB’. Denote this model by v’. We 
have to show that v’ is also a k-minimal model of KB. Indeed, v’ is clearly a 
model of KB. Let M be some other model of KB. If M(l) € {t, T} then M is 
a model of KB’ and so M ¢,v’. Otherwise, M(l)€{f, L}. Consider the subset 
of formulae of KB in which | appears as a literal: KB(l)={w€ KB | le L(W))}. 
Since | € L(KB), it follows that KB(l) 4 0. Moreover, since we assume that 
there are no facts in KB, in particular 1¢ KB and 1¢ KB, thus KB(I) Z {l,l}. 
Now, by the definition of v’ as a valuation that is produced by our algorithm, 
for every p € A(KB(I)) s.t. p41, we have that v/(p) = L. (Such p exist since 
KB(l) 40 and KB(l) Z {1,1}. These atoms are assigned since all the formulae 
in KB(l) are removed after the first dilution of KB’). Now, since we assumed 
that M(1) € {f,L}, then by Lemma 1 there must exist some po € A(KB(l)) 
s.t. M(po) € {t, T} (Otherwise Vy ¢ KB(l) M(W) ¢{t, T} and so M cannot be a 
model of KB). Thus M(po) >4 L=v’(po) and once again we have that M <;,v’. 


Using Theorem 1 we can now show that the algorithm indeed properly re- 
covers inconsistent knowledge-bases. 


Theorem 2. For a given knowledge-base KB, the algorithm of Figure 2 pro- 
duces all the valuations v, for which KB, is a preferred recovered knowledge-base 
of KB. 


Proof: By Theorem 1, if v is obtained by our algorithm, then KB, is an element 
of the following set: 


QQ = {KBwy | M is a k-minimal model of KB}. 


It remains to show, therefore, that the algorithm produces valuations v;, for 
which KB,, are the maximal elements of (2. Indeed, given a k-minimal model 
M of KB, we show that the algorithm produces a valuation v s.t. I(v, KB) C 
I(M, KB), and therefore KB), C KB,. 


As in Theorem 1, we denote by 1 the partial valuation that is determined 
during stage i of the algorithm (thus, if the algorithm terminates after n stages, 
then vy =U?_,v;), and M; is the reduction of M to the literals on which 1; is 
defined. Also, we use the following notations: KByj = KB | 0, and for every i>0, 
KB;41 = KB; | v;. Now, suppose first that Facts(KBo) #0 (i.e., there is some 
[positive or negative] fact in KBo). If {1,1} C Facts(KBo) for some literal 1, set 
vo(l) =T (note that in this case necessarily M(1)=T as well, since M is a model 
of KB and so it must assign T to all the facts of KB that are both positive and 
negative). Otherwise, choose some | € Facts(KBo) s.t. M(l) =t (such a literal 
must exist, since M is a model of KB and so it must assign designated values to 
the facts of KBo), and set vo(1)=t. If Facts(KBo) is empty, then if there is some 
LE L(KBo) s.t. M(1) =t set vo(l) =t as well. Otherwise, pick some | € £L(KBo) 
s.t. M(l) = L and set vo(l) =¢t (there must be such a literal, since otherwise 
VIE L(KBo) M(l)€{T, f} and since Facts(KBo)=0, this implies that M is not 
k-minimal, since one can easily construct a model of KB which is k-smaller than 
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M by changing one of the f-assignments of WM to L, or one of the T-assignments 
of M to t). Now, in order to determine 1; we follow a similar procedure, this time 
for KB,: If Facts(KB,) #40 then if {1,1} C Facts(KB,) for some l, set (1) = 7 
(note that in this case necessarily M(l) =T as well, since by the construction 
of vp, we have that KB, = KB | v) C KB | Mp, and so {1,1} C KB | Mp as well, 
which means that 1 must assign | the value T in order to be a model of KB). 
Otherwise, if there is some | € Facts(KB,) s.t. M(l) =t set (1) =t as well. 
Otherwise, pick some | € Facts(KB,) s.t. M(l)€ 1 (again, such an / must exists. 
Otherwise, by the same reasons considered above, we will have a contradiction 
to the fact that M is a k-minimal model of KB), and set v; (1) =t. The procedure 
in case that Facts(B,)=9 is the same as the one in case that Facts(KBo)=9. 

Now, repeat the same process until for some n, KB, becomes empty. Let 
v=U;_,y;. The following two facts are easily verified: 


1. In the process of creating v we followed the execution of the algorithm along 
one path of its search tree. Hence v is obtained by our algorithm when KB 
is given as its input. 

2. If v(l)=T then M(l)=T as well (see the notes whenever v;(1)=T). 


By (2), I(v, KB) CI(M, KB), and so KBy, C KB,. Thus, by (1), an output v of 
the algorithm corresponds to a preferred recovered knowledge-base KB, of KB. 


Clearly, large knowledge-bases that contain a lot of contradictory information 
may be recovered in many different ways. Therefore, computing all the preferred 
recovered knowledge-bases in such cases might require a considerable amount 
of running time. It is worth noting, however, that arbitrary recovery of a given 
knowledge-base KB (i.e., producing some preferred recovered knowledge-base of 
KB) obtains quite easily. This is so since the execution time for producing the 
first output (valuation) is bounded by O(|£(4B)|-|AKB]); A construction of the 
first output requires no more than |£(KB)| calls to Recover (as there are no 
more than |£(KB)| picked literals), and each call takes no more than O(|KB]) 
running time. 


We conclude this section with some notes on practical ways to reduce the 
execution time of the algorithm. 


A. Pruning of the Search Tree 


Let us consider once again the search tree of Figure 3. Denote the paths in this 
tree from the leftmost righthand by 1,...,12. Clearly, paths 1 and 2 yield the 
same result. Similarly, the same valuation is produced in paths 3,6,7,11,12, and 
the remaining paths in the search tree also yield the same valuation. It is possible 
to avoid such duplications by performing a backtracking once we find out that 
we are constructing a valuation which is the same as another valuation that has 
already been produced before. Indeed, note that a path 7 in the search three of 
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the algorithm corresponds to a sequence of partial valuations vj, vj,...,v/,, that 
are constructed along its nodes. Thus, if we denote by A(AKB) [ju] the elements of 
A(KB) on which the partial valuation p is defined, then it is possible to terminate 
the j-th flow of the algorithm (terminology: to prune the j-th subtree) at stage 


m iff there is a flow i<j, s.t. Us, A(KB)[vi] = U7, A(KB)[vj]. 


Example 5. In Figure 3 the pruning locations (in paths 2, 5-12) are marked with 
an asterisk. Thus, only paths 1, 3, and 4 of the search tree are not pruned. They 
yield, respectively, the k-minimal models M,, M42, and Mao of KB.” 


Obviously, the pruning consideration might drastically improve the search 
mechanism of the algorithm. The tradeoff is that for checking the pruning con- 
dition we have to use much more memory space, since the algorithm has to keep 
tracks to valuations that correspond to previous search flows. 


B. Handling Unrelated Information 


There are many cases in which a new information should not affect any previous 
conclusion.® In such cases a plausible mechanism of belief revision should not re- 
tract any previous conclusion. Therefore, the general expectation is that in these 
cases the computational complexity of adding the new data to the knowledge- 
base and computing its new consequences would be relatively low. Detecting 
those cases and finding an appropriate methodology to handle them is sometime 
called “the irrelevance problem”. In the next proposition we show that in cases 
where a totally irrelevant information arrives, it is possible to avoid executing the 
recovery algorithm; The new data can safely be added to any preferred recovered 
knowledge-base without damaging any of its properties. 


Proposition 5. Let KB, and KB, be two subsets of a knowledge-base KB that 
satisfy the following conditions: 


(a) KB, UKB2=KB, (b) A( KB) A(KB2)=0,9 — (c) KB, is consistent. 


If S is a preferred recovered knowledge-base of KB2, then SU KB, is a preferred 
recovered knowledge-base of KB. 


Proof: For the proof we need the following result: 


Lemma 5-A: [1,2] For every model M of a knowledge-base KB there is a k- 
minimal model M’ of KB s.t. M’<;,M.'° 


” As noted in Example 3, these are exactly the models with whom the prefered recov- 
ered knowledge-bases of KB are associated. 

8 This is the case, for instance, where there is no evidence of any relation between the 
new data and the old one. 

° In case that conditions (a) and (b) are satisfied we say that KB, and KB are a 
partition of KB. 

‘0 This property is sometimes called smoothness [10] or stopperdness [11]. 
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Suppose now that S$ is a preferred recovered knowledge-base of KB2. Then it is 
associated with some k-minimal model v2 of KB, i.e. S=(KB2),,. Also, since 
KB, is classically consistent, it has a classical model, denote it v,. Now, consider 
a valuation v that is defined for every atomic formula p as follows: 


v( ) = V1(p) if pe A(KB)) 
V2(p) if pe A(KB2) 


Since A(KB,) NM A(KB2)=9, v is well defined. It is also easy to see that v is a 
model of KB, and that KB, =(KB2),,U(KB)),, =SUKB,. By Lemma 5-A there 
is a k-minimal model M of KB s.t. M<,v. In particular, [(M, KB) CI(v, KB), 
and so KB, C KBy,. But KB, =S U KB, and since S is a maximal recovered 
knowledge-base of KB2, KB, must be a maximal recovered knowledge-base of 
KB. Thus KBy = KB,=SU KB, is a maximal recovered knowledge-base of KB 
and it is associated with a k-minimal model of KB. Hence S U KB, is indeed a 
preferred recovered knowledge-base of KB. 


Note that an immediate consequence of Proposition 5 is that in case that 
KB is classically consistent, then KB itself is the (only) preferred recovered 
knowledge-base, as indeed one expects. 


Example 6. Consider again our canonical example (1, 3, 4). Let KB’ =KBU 
{u, avVw}. The prefered recovered knowledge-bases of KB’ are simply obtained 
by adding {u, ~vVw} to each prefered recovered knowledge-base of KB. I.e., the 
preferred recovered knowledge-bases of KB’ are {p, apVh, hVr, hVs, u, ~vVw} 
and {-q, gVrVs, qVarVas, hVr, hVs, u, wvV wt. 


It follows that in many cases it is possible to drastically reduce the execution 
time of the algorithm: If the knowledge-base under consideration can be parti- 
tioned into two subsets such that one of them is classically consistent, then in 
order to recover the knowledge-base it is sufficient to activate the algorithm only 
on the inconsistent subset, and then to add the consistent set to every preferred 
recovered knowledge-base that is obtained by the algorithm. 


4 Conclusion 


In this work we have introduced a simple algorithmic method for restoring the 
consistency of inconsistent knowledge-bases. Restoration of consistent data is 
a key concept in many applications, such as model-base diagnostic systems, 
database management systems for distributed (and possibly contradicting) 
sources of information, and pre-processing phases of procedures for a (classi- 
cal) automated deduction. In all these areas, then, the techniques discusses in 
this paper may be useful. 

We have addressed here the propositional case in which our algorithm can 
easily be implemented in practice. Its computational complexity in the general 
case, and further practical considerations for an efficient handling of first-order 
languages, remain to be studied. 
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Abstract. In the belief change literature, while the degree of belief (or disbelief) 
plays a crucial role, it is assumed that potential hypotheses that have neither been 
accepted nor rejected cannot be compared with each other in any meaningful 
manner. We start with the assumption that such hypotheses can be non-trivially 
compared with respect to their plausibility and argue that a comprehensive theory 
of acceptance should take into account the degree of beliefs (or disbeliefs) as well 
as the plausibility of such tenable hypotheses. After showing that such a compre- 
hensive theory of acceptance based on the received principle of minimal change 
does not lend itself to iterated acceptance, we propose, examine and provide rep- 
resentation results for an alternative theory based on the principle of rejecting the 
worst that can handle repeated acceptance of evidence. 


1 Introduction 


The theory of belief change, originating in the classic works [AGM85, Gar88] (hence- 
forth the AGM Theory) takes into account what we may term the degree or firmness of 
currently held beliefs. The basic idea that these theories rest on is that in assimilating 
new information, a rational agent should see to it that if some currently held beliefs must 
be given up, then, given the option, less firmly held beliefs may be given up in favour of 
more firmly held beliefs. Possibility theory [DP92], on the other hand, heavily relies on 
what may be termed as the degree of disbelief. The basic idea behind possibility theory 
is that in assimilating new information, a rational agent may be forced to suspend disbe- 
lief in some sentences that are currently disbelieved (i.e., their negations are believed); 
and in such an eventuality the agent should see to it that given the option, the suspension 
of disbelief is carried out with respect to less strongly denounced propositions instead of 
more strongly denounced propositions. In fact, both these approaches — belief change 
and possibility theory — are largely inter-translatable since the firmness of the belief in 
a sentence may be viewed simply as the strength of denouncement with respect to its 
negation. 

Since each sentence is either believed or disbelieved or neither, given an agent’s 
belief state, sentences of a language may be partitioned into three disjoint cells, namely, 
beliefs (sentences that the agents takes to be true in her model of the world), disbeliefs 
(sentences that the agent takes to be false in her model of the world) and plausibilities 
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(sentences that the agent is agnostic about). The measure used by the belief change 
camp, exemplified by, for instance, epistemic entrenchment, is primarily defined over 
the beliefs. The measure used by the possibility theory camp (the possibility measure), 
on the other hand, is primarily defined over the disbeliefs. More to the point, both these 
measures effectively refuse to compare different plausibilities. This is rather ironic since 
both these camps are rather recent entrants to the state-updating area compared to the 
Bayesian tradition which is primarily based on the probability of the plausibilities.! 

It is perhaps a mistake to consider the Bayesian approach and the belief change 
(or, for that matter, possibility theory) as competitors: they are best viewed as comple- 
menting each other in providing us a model for the general task of accepting some new 
evidence. Belief change and possibility theory primarily provide a model for accepting 
new information that conflicts with the current knowledge. This problem has come to be 
known as revision in the literature. The account they give of accepting new information 
that is not in conflict with the current knowledge may be viewed as a special case that 
should not be taken seriously. Similarly, the Bayesian tradition may be taken as provid- 
ing us a model of how to accept evidence that is consistent with the current knowledge. 
This problem has come to be known as expansion. Bayesian doctrine is more up-front 
about its treatment of evidence that conflicts with the current knowledge — the Bayesian 
doctrine is not designed to handle such evidence. 

In light of the above discussion, it is apparent that a general account of acceptance 
should provide a non-trivial account of handling two types of evidence — disbelief and 
plausibilities — in the sense that it should be based on a measure that allows non-trivial 
comparison among beliefs (or disbeliefs) and among plausibilities. This purported ac- 
count of acceptance may be quantitative in the Bayesian style or qualitative in the AGM 
style. The purpose of this paper is to provide a qualitative account of such a general the- 
ory of acceptance. 

This account should satisfy certain high-level desiderata that will be explicated in 
more detail in the next section: 


1. The theory of acceptance in question should allow the non-trivial comparison of 
beliefs (mutatis mutandis disbeliefs) on the basis of their strength or firmness, 

2. The theory of acceptance in question should allow the non-trivial comparison of 
hypotheses that have neither been accepted nor rejected on the basis of their plau- 
sibility, 

3. The construction of the purported acceptance operation should be based on ratio- 
nally defensible principles 

4. The properties of the purported acceptance operation should be intuitively appeal- 
ing, and finally, 

5. The framework used for this construction should allow for an iterated account of 
acceptance in a non-trivial manner. 


The rest of this paper is organised as follows. In the next section, I show that when we 
impose comparability among plausibilities on the AGM framework, we get an opera- 
tion (to be called “acceptance’’) that behaves like revision or abduction depending on 


' In the Bayesian framework, each beliefs receive probability 1 and each disbelief gets probabil- 
ity 0. So there is no non-trivial comparison among beliefs (or disbeliefs). Only the comparison 
among the plausibilities is nontrivial. 
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the nature of the received evidence. In the section following it, I discuss and examine 
the limited nature of this operation, namely that it cannot process sequential pieces of 
evidence in a satisfactory manner. In the penultimate section, an alternative theory of 
acceptance based on the principle of rejecting the worst is presented, and its proper- 
ties examined. Appropriate representation results are presented in this section. Finally I 
conclude with a brief discussion of how this proposed theory lends itself to an account 
of iterated acceptance of evidence. 


2 Comparison among Plausibilities: Genesis of Abduction 


In the introductory section, I argued that a theory of acceptance should take into account 
comparison among plausibilities, that is among sentences that are neither believed nor 
disbelieved by an agent. In this section, I will postulate such a comparison among plau- 
sibilities and show that this leads to an account of abduction or inference to the best 
explanation [Pau93] of the variety propounded by Pagnucco in [Pag96]. I will then ex- 
plain how this theory of abduction can be used in a theory of acceptance and point out 
one of its severe limitations, namely that this account does not lend itself to an iterated 
account of acceptance. 

The comparison among plausibilities will be modelled after the comparison among 
the beliefs as provided by the relation of epistemic entrenchment [GM88]. Hence I will 
first provide a brief introduction to the classic account of belief change [AGM85] fol- 
lowed by a semantic account of epistemic entrenchment [Gro88]. After that I will give 
an analogous account of comparison among plausibilities that will lead to Pagnucco’s 
account of abduction [Pag96]. 


2.1 Belief Change 


In the AGM system, a belief state is represented as a theory or belief set (i.e., a set of 
sentences closed under your favourite consequence operation), new information (epis- 
temic input) is represented as a single sentence, and a state transition function, called 
revision, returns a new belief state given an old belief state and an epistemic input. If the 
input in question is not belief contravening, i.e., does not conflict with the given belief 
state (theory), then the new belief state is simply the consequence closure of the old 
state together with the epistemic input. In the other case, i.e., when the input is belief 
contravening, the model utilises a selection mechanism (e.g. an epistemic entrenchment 
relation over beliefs, a nearness relation over worlds or a preference relation over theo- 
ries) in order to determine what portion of the old belief state has to be discarded before 
the input is incorporated into it. 

From here onwards I will assume a finitary propositional object language L.” Let 
its logic be represented by a classical logical consequence operation C'n. The yielding 
relation | is defined via Cn as: | aiffa € Cn(L). 


> A finitary language is a language generated from a finite number of atomic sentences. So the 
number of sentences in this language is not finite. 
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The AGM revision operation is required to satisfy the following rationality postu- 
lates: Let K be a belief set (a set of sentences closed under C'n), the sentence x € £ be 
the evidence, * the revision operator, and /* the result of revising IK by zx. 


) Kis a theory 

) «e€ Ke 

) Kz Co Cn(K U {z}) 

*) If Kk 7a then Cn(K U {x}) C Ke 
) Ke = Ky iffF ax 

) IfF acy, then Ky = Kj 
) Keay © On(KzU {y}) 

) Ifny ¢ Kx then Cn(K% U {y}) C ee 
Motivation for these postulates can be found in [Gar88]. Let us call any revision op- 
eration that satisfies the above eight constraints “AGM rational”. These postulates can 
actually be translated into constraints on a non-monotonic inference relation }» [GM94]. 

The account of belief change provided here is non-constructive. A popular construc- 
tion of the revision operation « is obtained via the relation < of epistemic entrenchment. 
This relation < is a binary relation defined over the language £ and the expression 
x < y is meant to be read off as: sentence y is no less firmly believed than the sentence 
x. The standard conditions that < is meant to satisfy can be found in [Gar88]. The op- 
eration « can be constructed via < in the following manner: an arbitrary sentence y 
is in K* just in case either y is implied by x or (x — 7y) < (a — y). The principal 
(second) case, means that, when, relative to the evidence x, the information in —y is less 
firmly held than the information in y, the sentence y should be accepted on the basis of 
evidence x. Instead of giving details of epistemic entrenchment, I will now provide its 
semantics, supplemented by visual aid, which has obvious intuitive appeal. 


2.2 Semantics of Entrenchment 


The semantics of epistemic entrenchment is given by what has come to be known as the 
“Systems of Spheres” (SOS), originally developed by Adam Grove [Gro88]. The one I 
will present is different in approach, but is equivalent to the construction propounded by 
Grove. Let M be the class of maximally consistent sets w of sentences in the language 
in question. The reader is encouraged to think of these maximal sets as worlds, models 
or scenarios. I will use the following expressions interchangeably: “w - a”, “a allows 
w” and “w € [a]”, where w is an element in M and a: is either a sentence or a set 
of sentences.) Given the belief set kK’, denote by [A] the worlds allowed by it, i-e., 
[K] ={w € M|K C w}. (Similarly, for any sentence , let [x] be the set of “worlds” 
in which «x holds.) 

A system of spheres is simply represented by a connected, transitive and reflexive 
relation (total preorder) C over the set M such that [K’] is exactly the set of C-minimal 
worlds of M. Intuitively, w C w’ may be read as: w is at least as good/preferable as w’ 
(or, w’ is not strictly preferred to w).? 


3 Note the oddity: the L-minimal world is most preferred. This is a legacy from the literature. 
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The relation E nicely captures the idea behind epistemic entrenchment: x < y for 
an agent just in case, from that agent’s perspective, the most preferred —x-world is no 
less preferred than the most preferred ~y-world. More formally, 7 < y iff wiz E way 
where w—, is a ©-minimal —x-world and w-, is a E-minimal >y-world. In intuitive 
terms, zx is less firmly believed that y just in case it is easier for one to move from one’s 
current perspective to a ~#-scenario than to a sy-scenario. It is easily verified that non- 
beliefs, in particular plausibilities (sentences that allow some but not all [/]|-worlds) 
are all < equivalent, and hence < cannot discriminate among plausibilities. The reason 
for this is that, given two plausibilities x and y, the worlds that are C-minimal in [72] 
and those that are C-minimal in [-y], being members of [K], are C-minimal worlds. 

Now, we define the Grove-revision function G'x as: [K°*] = {w € [a]| for all w’ € 
[z],w C w'}, whereby K°* = (\[K*]. It turns out that the AGM revision pos- 
tulates characterise the Grove revision operation Gx.* A visual representation of the 


Fig. 1. Minimality Based revision — the principal case 


crucial case in the Grove Construction is given in Figure 1. In this, the area marked [:'] 
represents the models allowed by the evidence x. The area [K] represents the model 
currently entertained by the agent, and the broken circles demarcate models according 
to the agent’s preference. The farther a model is from the centre, the less preferred it 
is. The shaded part of [2] represents the most preferred of the models allowed by the 
evidence x — hence identified with [*]. 

Viewed from this semantic angle, belief change is about preferential choice: [KC*| 
essentially identifies the subset to be chosen from [2] as the set of worlds that are C-best 
in [a]. 

We introduce the following notation for later use. 


* Readers acquainted with Grove’s work will easily notice that given a system of spheres 5, the 
relation Cy can be generated as: w LC» w’ iff for every sphere S’ that has w’ as a member, 
there exists sphere S C S’ with w as a member. On the other hand, given a total preorder C on 
M, a system of spheres »’c can be generated as follows: A set S C M isa sphere in Yc iff 
given any member w of S, if w’ EC w then w’ is also a member of S. It is easily noticed that the 

C-minimal worlds of M constitute the central sphere, and for any sentence x, the C-minimal 
members of [:] constitute [AK ¢*] in the corresponding SOS. 
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Definition 1 A subset T of M is said to be —-flat just in case w EC w' for all members 
w,w’ of T. In this case, the members of T are called C-equivalent. w Cw’, on the 
other hand, is used as an abbreviation for (w Cw’) A (w' Zw) 


2.3 Minimality Based Abduction 


Earlier I argued that like beliefs and disbeliefs, plausibilities too can be meaningfully 
compared with each other. We also noticed that epistemic entrenchment does not pro- 
vide a meaningful comparison among plausibilities since all the worlds validating the 
agent’s current knowledge (namely members of [/‘]) are C-minimal. In order to effect 
a non-trivial comparison among the plausibilities, therefore, it seems prudent to intro- 
duce some more structure into [A]. Let us accordingly give up the assumption that [K] 
is the set of C-minimal worlds, and instead impose the following conditions: 


1. [K] £Oand 
2. Ifw Cw’ and w’ € [K] then w € [K], for every w, w’ in M. 


In effect, the system of sphere represented by EC represents an expectation ordering 
[GM94]. The belief state [A] in this system of spheres could be any of the sphere in 
the system. Grove’s SOS is a special case of this, namely when [K] is the smallest 
sphere allowed by E —iie., [K’] is the set of E-minimal worlds. Another special case 
is when |[K] = M. This represents the knowledge state of an epistemically innocent 
agent who does not know anything about the world. But a more interesting special case 
is the dual of Grove’s SOS: [K] = {w|w is not C-maximal}. In other words, whereas 
in Grove’s account, | A’] is C-flat, in this dual account, M \ [kK] is C-flat. If we assume 
a binary relation < over £ defined as: x = yiffwiz LE way where wi, is a E- 
minimal >z-world and w—, is a C-minimal —y-world, we get a relational measure that 
effectively compares plausibilities, but fails to discriminate among beliefs (and among 
disbeliefs). This is the mechanism that drives Pagnucco’s account of abductive belief 
change [Pag96]. 

Analogous to the AGM approach to revision, expansion in Pagnucco’s approach 
rests on minimality consideration. Given evidence x which is consistent with the current 
knowledge, the result of adopting x is represented by the new belief state [Kt] = 
{w | wis C -minimal in [x]} = {w | wis C -minimal in [A] 2 [a]}. However, since 
[K] is not necessarily C-flat, neither is [A] M [a]. Hence, possibly [Kj‘] Cc [K] / [a]. 
Thus, unlike the expansion in the AGM approach, Pagnucco’s expansion operation + 
is ampliative. In fact this operation has all the hall marks of an abductive inference. 
Figure 2 provides a visual representation of the abductive process suggested in [Pag96]. 

Pagnucco has examined the properties of this abduction operation. Let K be the cur- 
rent belief set, x the evidence and + the abductive expansion operation. The following 
list fully characterises this operation. 


(1+) Kt is a theory 

') Ifa ¢ K thenz € Kt 
HK CKS 

+) If Kb 2 then Kt = K 
r) If K 72 then ax ¢ Kt 


(2 
(3 
(4 
(5 
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[K] 


[x] 
[K+x] 


Fig. 2. Minimality based Abduction 


(67) IfK b}aoy, then Kt = Kt 
(Tt) Kt CCn(K Ey U Lah) 


(8+) If-w ¢ Ky then Kt, © Kt 


The motivation behind these properties can be found in [Pag96]. 


3  Minimality Based Acceptance and Its Failure 


In the last section I showed how the desire for comparision of plausibilities, combined 
with the minimality based belief change, leads to Pagnucco’s account of abduction. 
In this section I will combine the AGM approach to belief change with Pagnucco’s 
account of abduction in order to provide a comprehensive account of acceptance. Then 
I will show that this approach suffers from a serious setback in that it does not lend itself 
to an account of iterated acceptance. The next section will be devoted to an analysis of 
this problem of iteration, and a solution to this problem will be presented. Later on, 
technical exploration based on this suggestion will be performed. 


3.1 Acceptance Based on Minimality 


In the last section, we dispensed with the AGM idea that the belief state [K] is the 
smallest sphere in an SOS and assumed that [K] could be any sphere in the SOS. I 
pointed out that the AGM system (read Grove’s SOS) is one special case of this, and 
Pagnucco’s system is another special case. Now, we can combine these two accounts to 
offer a general account of acceptance. Roughly, what we wish the acceptance operation 
to do is to behave like the AGM operation when the evidence is belief contravening, 
and behave like the Pagnucco operator when the evidence is consistent with the current 
beliefs. Let us denote this minimality based acceptance operator as © and define this 
operation ©, given an expectation ordering E and an appropriate belief set x as follows: 
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Definition 2 (from EC to ©) Where EC be a total preorder on M and |K] a sphere for 
C, [K2] is defined as the set {w € [z]|w Cw’ forallw’ € [z]}. 


It is easily verified that when the evidence x conflicts with K, the operation © behaves 
like the AGM revision operator; on the other hand, if x is consistent with K, instead 
of behaving like the AGM revision operator, the operation © starts behaving like Pag- 
nucco’s abductive expansion operator. This process may be visually represented as in 
Figure 3. 


Fig. 3. Minimality based Acceptance. 


3.2 Acceptance Faces the Iteration Problem 


Iteration has been a well known problem in the belief change literature. Formally, a 
function f, in order to be iterative, simply requires that if f(x) is a well defined ob- 
ject, then so should be f(f(a)). In the context of belief change, failure of the iterative 
property means an agent is guaranteed an initial change of mind, but not necessarily 
any subsequent one. Since in practice agents do not get all pieces of evidence in one 
go, it is highly desirable that any belief change operation, acceptance included, should 
have the iterative property. In the belief change lingo, it means that the belief change 
operation should satisfy the properties of category matching: the object that undergoes 
change must result in an object of the same category. 

Unfortunately, however, the acceptance operation © seriously fails on this count. 
There are different ways of looking at this problem. Primarily, a structured object ([A], 
which consists of possibly many layers of C-equivalence classes of worlds) undergoes 
an epistemic change in response to evidence x and results in an unstructured object 
({K ©], which is a single class of E-equivalent worlds). Hence operation © violates the 
principle of category matching.° 


5 Perhaps a more accurate description of the problem is the following. There are three arguments 
to ©: an expectation ordering C, an arbitrary sphere [A] of C and the evidential (external) input 
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The practical problem is noticed very easily. Consider Figure 3. Imagine that a and 
G are two pieces of evidence such that [K]M [a] 4 0 and [K2] N [G] 4 0. Assuming 
that [AC] M [a] is not C-flat, the first operation of © will result in an abductive expansion. 
Now, in order to process evidence (3 we will need a system of sphere in which [K©] 
is a sphere. But since [kK] is C-flat, given the measure C, no matter how we permute 
the C-equivalent classes, if [kK ©] is going to be a sphere in the resultant SOS, it is 
going to be the central sphere. Hence we are back to a Grovian SOS, and all future 
expansions are going to be the non-abductive AGM expansion. Another way of looking 
at it is that although the desirability of a nontrivial comparison among plausibilities led 
to the theory of acceptance at issue here, after the first abduction, we are left only with 
a vacuous comparison among plausibilities. 


3.3. Diagnosis and Prescription 


It is clear from discussion above that iteration is desirable in the context of acceptance, 
and the operation © fails on this count primarily because [K 2] consists of a set of C- 
equivalent worlds, in particular, the set of C-minimal x-worlds. This has often been 
justified on the basis of the principle of minimality (read minimal change). Hence, in 
order that we may gain the ability to iterate, it is imperative to satisfy the principle 
of category matching. This in turn implies that we impose more structure into the set 
[K ©], and thereby violate the principle of minimality. In this context, it is important to 
take into consideration a few issues: 


1. What is the intuitive justification for the principle of minimality? 

2. Our proposal to impose more structure into [©] and thereby violate the princi- 
ple of minimality is based on purely pragmatic ground. Can this be justified on 
independent grounds? 

3. The discussion in the last section regarding the failure of iteration in the context of 
acceptance is primarily based on abduction. Is it possibly desirable to violate the 
principle of minimality only in the context of abduction and retain in the context of 
revision? 


I will address these issues individually. 

As to the first issue, the principle of minimality in question is essentially based on 
the intuitively obvious principle of choosing the best [NF98]. In order to successfully 
accept the evidence z, the result [©] is required to be a subset of [2]. Hence, it is a 
matter of choosing the “right” elements of [x]. Since CE reflects the agent’s preference 
over all the worlds, members of [x] included, and the C-minimal x-worlds are deemed 
best among all the x-worlds, it is reasoned, the set [K2] should be identified with the 
set of E-minimal x-worlds. 

There are two ways of responding to the second issue. On the first count, the princi- 
ple of choosing the best is a vacuous principle devoid of any prescribe content since it 


x. In order to satisfy the principle of category matching, the output should be a pair C’ and 
its arbitrary sphere [K’] = [K&]. But since [K©] is L-flat, there is no constructive way of 
generating an expectation ordering L’ in which [K’] = [K®] is a sphere but not necessarily 
the the central sphere. Hence the principle of category matching is violated by ©. 
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simply means that whatever should be chosen should be chosen. Hence no matter what 
one does, one cannot violate this, as it were, analytic principle. On the second count, 
there is a dual to the principle of choosing the best: the principle of rejecting the worst 
[NF98]. This principle says that in a choice context, reject the worst available alterna- 
tives and retain the rest for further scrutiny. This principle has no less intuitive appeal 
than the principle of choosing the best. Since the set [A] [x] (respectively, [x]) pos- 
sibly comprises of more than two C-equivalence classes, even after rejecting the worst 
members from [A] 2 [2] leaves us with a set [©] that is not C-flat, we can impose 
some relevant structure into [©] on grounds no less justifiable than the principle of 
minimality itself. 

Finally, as to the third issue, there are at least two reasons why the principle of 
minimality should be violated both in the context of abduction and revision. Firstly, 
assuming that we employ the principle of rejecting the worst in the context of abduction, 
we need some special, overriding consideration to justify the principle of choosing the 
best (read minimality) in the context of revision. No such overriding considerations are 
available. This is an argument from the classic principle of insufficient reason. Secondly, 
and this is a pragmatic consideration, if we allow the principle of minimality to be 
employed in the context of revision, it is not going to solve the problem of iteration 
so far as acceptance is concerned. Once the agent accepts some belief contravening 
evidence z, the resultant [K©] becomes C-flat and we are back to the old problem! 

I take the above discussion to justify the uniform employment of the principle of 
rejecting the worst in a reasoned account of acceptance. 


4 Acceptance Based on Rejection 


I pointed out above that the principle of minimality does not allow the theory of accep- 
tance to extend to an iterative account. I further argued that this principle is no more 
justified than its dual, the principle of rejecting the worst, which, if considered, may 
allow an iterative account of acceptance. In this section I will develop and examine a 
theory of acceptance based on the principle of rejecting the worst. 


4.1 The “Reject Worst Principle’ and Acceptance 


The principle of rejecting the worst essentially tells us that in a choice context, reject 
the worst among the available alternatives and retain the rest for further consideration. 
We must add a caveat to this in order to handle the special case when all alternatives 
are deemed to be equally desirable. In such a situation, all the available alternatives are 
worst (and also best). Since the goal is to ultimately choose some member or other from 
the alternatives, I will slightly weaken the principle:° 


® There are choice contexts where an agent may want not to choose any of the available alterna- 
tives. For instance, a selection committee may want to re-advertise a position instead, if none 
of the interested candidates satisfy the minimum prerequisites. There are many ways of look- 
ing at it. An easy way out is to maintain that this set of candidates is not a set of alternatives in 
the first place since they do not satisfy the minimum requirement of being an alternative. There 
are other ways of reconciling this issue as well, but it is beyond the scope of this paper to go to 
the details. 
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— Ina choice context, given that not all the available alternatives are equally desir- 
able, reject the alternatives deemed to be worst with respect to the contextually 
defined selection criteria, and retain the rest for future consideration. Otherwise, 
reject none. 


Let us denote the acceptance operation based on this principle of rejecting the worst 
by the symbol o. Figure 4 pictures how different types of evidential data (w, x, y and 
z) are handled by this operation. Note in particular the case of evidence y. In this case, 
the worst elements are rejected not from [y] but from [A] N [y]. If we had rejected only 
the worst elements of [y], the result would not have been a subset of |], and we would 
have lost part of the information in K’, although the evidence is consistent with the 
current knowledge! 


Fig. 4. Acceptance Without Minimality. 


Now I will formally define how, given an appropriate total preorder C on M and an 
belief set for EC, the non-minimal acceptance operation o¢ (the subscript is hence- 
forth dropped) is constructed: 


Definition 3 (from CE to 0) Where C be a total preorder on M and |K] a sphere for 


[x] if [a] is C-flat 
{w € [z]|wC w’ 
[K°] = for some w' € [x]} else if [K]N [a] =0 
= [AK] 2 [a] else if [K] N [a] is C-flat 


{we [K]N[z]| wow’ 
for some w' € [K]N [a]} otherwise. 


This definition separates four distinct cases and treats them differently. First of all, if 
[x] is flat, irrespective of whether it intersects [/] or not, the result is simply [2]. This is 
because there is not enough structure in [x] to do any more sophisticated operation. Else, 
if [x] is “outside” [A] but is not flat, then the operation o behaves like a non-minimal 
belief revision [NF98]. In the third case, if [x] intersects [A] but the intersection itself 
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is flat, the result simply [A] M [a]. Finally, if the intersection of [kK] and [2] is not flat, 
then it behaves like a non-minimal abduction operator. 


4.2 Properties of Non-minimal Acceptance 


I outlined above an account of how the acceptance operator based on the principle of 
rejecting the worst can be constructed. Intuitive though this construction process is, it 
remains to be seen whether this operation has the properties required of an acceptance 
operator. Of the properties this operation satisfies, the following are especially interest- 
ing for reasons to be elaborated afterwards. Note the naming conventions followed: the 
numeric part of the name in general signifies which AGM postulate it is an analogue of 
and the (optional) alphabetic part signifies whether this property concerns the abductive 
behaviour or the revision behaviour of the operator o. For instance, the property (7.1 Ao) 
corresponds to the AGM postulate (7) and concerns the abductive behaviour of ©. 


) Kis a theory 
20) weKS 
) If kK 7a then Cn(K U {x}) C Ke 

5o) K°=K, iff} 

6Ro) If aoy,then Kp = Ky 

6Ao) IfKkK Fay, then KZ = Kg, given that K a 

7.1Ro) If KZ Z Cn(a A y) then Ky), C Cn(Kz U {y}) 
given K + 7a 

7.1Ao) If KZ Z Cn(K U {a, y}) then Ken, C Cn(ke U {y}) 

7.2Ro) If kK} = Cn(y) then Ky), C Cn(Ukcz U {y}) 
given K + 72 

7.2Ao) If ky = Cn(K U {y}) then Kon, C Cn(Ke U {y}) 
given K }/ 7a 

7.3Ro) If KN Cn(y) C Cn(z) 

then Kony C Cn? U {y}) 

7.3Ao) If K8 NCn(K U {y}) C Cn(K U {x}) 

then Kon, C Cn(Kz U {y}) given Ka + ma 

80) If KZ Y my then Cn(K2 U {y}) C Kany 

9Ro) If kK 7a, K2 + 7y but x my 

then Kon, = Cn(x Ay). 

QAo) If kK U{a}  7y but Kz vy 

then Kon, C Cn(K U {2, y}). 


For an intuitive understanding of these constraints, it is helpful to view Kg as the set of 
sentences that the evidence a can explain given the background knowledge K. Prop- 
erties (lo—6Ro) are effectively basic postulates of the AGM revision operation, and 
justification for them can be found in [Gir88]. Postulate (6. Ao) says that if two pieces 
of evidence contain the same information relative to, and they do not conflict with, the 
current knowledge, then accepting them have the same effect on the current knowledge. 
Note that this is a stronger postulate than (6 Ro). Postulates (7.1 Ro—7.3 Ao) are several 
variations of the AGM postulate (7). For instance, (7.1Ro) says that, when x conflicts 
with the current knowledge Kk, if x can explain certain things that cannot be classi- 
cally inferred from z and y together, then everything that x and y may possibly be able 
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to explain can be classically inferred from y together with all that 2 explains. On the 
other hand, (7.1 Ao) may be paraphrased as follows: when x does not conflict with the 
current knowledge, if x can explain certain things that cannot be classically inferred 
from K, x and y together, then everything that x and y may possibly be able to explain 
can be classically inferred from y together with all that x explains. All these variations 
of 7* tell us under what condition a piece of evidence y loses its inferential power in 
presence of another piece of evidence x. Postulate (80) says that x and y jointly fail to 
explain something that follows from y in presence of what is explainable by x only if 
y conflicts with something that is explained by «. Finally, postulates (9Ro) and (9Ao) 
specify the conditions under which x and y cannot explain anything more than what 
can be classically inferred from them, possibly in presence of Kx. 


4.3. Technical Results 


In this section I will show that the theory of acceptance we have so far developed has 
the desirable features one should expect from it. I will omit the proofs due to the space 
limitation. Our first result is the soundness property — that o satisfies conditions (1o— 
9 Ao). 


Theorem 1 Let the operation o be constructed from a given total preorder — on M 
and its sphere |K]| as specified in Definition 3. The operation o then satisfies the basic 
properties (1 0 —9Ao). 


The next result (completeness result) shows that given an acceptance operation o that 
satisfies (1 o —9Ao) and a fixed belief set AK’, we can construct a binary relation C. x 
with the desired properties. (I will normally drop the subscripts for readability.) In par- 
ticular, I will show that, where LC is the relation so constructed: (1) E is a total preorder 
over M, (2) the SOS (System of Spheres) corresponding to CE has [K]] as one of its 
spheres. 


Definition 4 (from o to ©) Given an acceptance operation o and a belief set K, 
w Cow w' iff either (1) both w © [K] and w' ¢ [K] or (2) w © [K8] whenever 
w’ © [K%], for every sentence x such that either (a) K + 7a and both w,w’' € [a] or 
(b) K 7a and both w,w' € [K|N [a]. 


Theorem 2 Let o be an acceptance operation satisfying (10) — (9Ao) and K a belief 
set. Let CL be generated from o and K as prescribed by Definition 4. Then C is a total 
preorder on M such that [K] is one of the spheres of C. 


Theorems | and 2 jointly provide the representation result. 

Furthermore, the total preorder CL. x constructed from a given non minimal revision 
operation o and belief set ix is the desired CE in the sense the non minimal acceptance 
operation constructed from it, in turn, behaves like the original operation o with respect 
to the belief set Kk. 
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Theorem 3 Let 0 be a non minimal belief revision operator satisfying postulates (1 0 
—9Ao) and K be an arbitrary belief set. Let C be defined from 0 and K in accordance 
with Definition 4. Let 0! = o¢ be defined from LC, in turn, via Definition 3. Then for any 
sentence « (and the originally fixed belief set K) it holds that kK. = Ke 


Conversely, one can start with a total preorder C, construct an acceptance operation 
o from it via Definition 3 and then construct a a total preorder C from that o in turn via 
Definition 4, then one gets back the original relation C. 


Theorem 4 Let C be a total preorder on M and |K] one of its spheres. Let o be defined 
(for K) from CE via Definition 3. Let C'=C, be defined from 9, in turn, via Definition 4. 
Then w Cw’ iffw C’ w' for any two worlds w,w' © M 


5 Discussion 


In this paper, first we argued that although in the literature on belief change, it is taken 
for granted that there can be no meaningful comparison among tenable hypotheses that 
have neither been accepted nor rejected, a case can be made for nontrivial comparison 
among them on the basis of their plausibility. Equipped with a measure that can compare 
among such hypotheses as well as among the beliefs (or disbeliefs, as the case may 
be), we modelled a comprehensive account of acceptance pretty much in the AGM- 
Grove tradition. We then showed that this operation fails to take in to account repeated 
mind change on part of the agent. Accordingly, we developed an alternative theory of 
acceptance based on the principle of rejecting the worst. We motivated it on the ground 
that it can handle the problem of iterated acceptance. 

One of the things pointed out to be crucial in order to handle the problem of iteration 
is satisfaction of the principle of category matching. It is only natural that in order 
to provide an iterated account of acceptance, we identify an expectation ordering that 
succeeds the current expectation ordering after a piece of evidence is accepted. The 
acceptance operation o as described so far fails to do that. Given an expectation ordering 
L, a belief set K and a piece of evidence x, we know what the new belief set A’? would 
be; but we do not know what expectation ordering it is a sphere of. What we precisely 
need is a more general acceptance operation e that accepts as parameters an expectation 
ordering LE, a belief set A associated with E and a piece of evidence x and returns a 
new expectation ordering (C, K’)* one of whose spheres is K°. 

In general, there are many ways of satisfying these constraints. However what we 
need is a rational way of satisfying these constraints. In the literature on iterated be- 
lief change, there has been two basic approaches to solve the analogous problem, both 
grounded in Spohn’s seminal work [Spo88]. One, based on what has come to be known 
as conditionalisation has been adopted in many works [Nay94, Wil194]. This approach 
maintains the relative ordering of worlds that are consistent with the evidence as well 
as the worlds that falsify the evidence, but gives more priority to the former class of 
worlds. The other, which has come to be known as adjustment has been adopted by 
[Wil94]. This approach on the other hand maintains the original ordering of all worlds 
that are inconsistent with the new belief set, giving priority only to the worlds that 
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are consistent with the new belief set. In the account that follows, I adopt the former 
strategy. 


Definition 5 Let C be an expectation ordering and K be a theory such that |K] is a 
sphere of C. Let x be a sentence. Then (C, K)* = (C’, K") where 


1. K'=Ke 
2. w C' uw’ for all worlds w, w' iff both 
(a) Either w € |x] or w' ¢ [a], and 
(b) ifw Zw’ then both w € |x| and wv’ ¢ [a]. 


The first condition, K’ = K° ensures that the revised K matches with the one mandated 
by the acceptance operation o. The first clause of the second condition, namely Either 
w € [x] or w’ ¢ [a], ensures that in the revised expectation ordering, worlds consistent 
with the evidence x are not accorded less priority than the worlds that falsify such 
evidence. The second clause of the second condition, namely if w Z w’ then both w € 
[x] and w’ ¢ [a] ensures that the original priority among worlds is reversed only if it 
conflicts with the principle that worlds consistent with the evidence should be accorded 
more priority than the worlds falsifying the evidence. 

I conclude this section with a quick proof that [/?] is indeed a sphere in the expec- 
tation ordering C’ thus defined. Suppose that w € [8] and w’ C’ w but w’ ¢ [Ke]. 
Since w € [KS], surely w € [a]. Since w’ CL’ w, it follows that either w’ € [2] or 
w ¢& [a]. Hence it follows that w’ € [a]. However w’ ¢ [3] where from it follows 
that w’ Z w. It follows from the second clause of the second condition that w ¢ [] 
contradicting the earlier result that x € [2’]. | 
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Abstract. A new tree-based representation for propositional formulas, 
named A-tree, is introduced. A-trees allow a compact representation for 
negation normal forms as well as for a number of reduction strategies 
in order to consider only those occurrences of literals which are relevant 
for the satisfiability of the input formula. These reduction strategies are 
divided into two subsets (meaning- and satisfiability-preserving transfor- 
mations) and can be used to decrease the size of a negation normal form 
A at (at most) quadratic cost. The reduction strategies are aimed at 
decreasing the number of required branchings and, therefore, these stra- 
tegies allow to limit the size of the search space for the SAT problem. 


1 Introduction 


Efficient representations for formulas in negation normal form (nnfs) are ne- 
cessary in order to describe and implement efficient algorithms on this kind of 
formulas. The ability to reason on specifications written in a language as close as 
possible to natural language is important for information sciences; thus, reaso- 
ning efficiently on nnfs is interesting because these formulas are easier to obtain 
from specifications given in natural language. 

Formulas in conjunctive normal form (cnf or in clause form) are usually 
interpreted as lists of clauses, and formulas in disjunctive normal form (dnf) 
are interpreted as lists of cubes; these interpretations allow efficient descriptions 
and implementations of algorithms to study satisfiability (e.g. linear ordered 
resolution). In this work we use the generalization of these interpretations to 
nnfs given by the A-trees, that is, we use trees of clauses and cubes. Specifically, 
nnfs are represented as trees of clauses and cubes such that each clause-node in 
the tree is an implicant of the formula represented by its scope and, similarly, 
each cube-node is an implicate of the formula represented by its scope. The 
new representation is named A-tree because its nodes are built up from A- 
lists [2]. After defining the notion of A-tree, the operators Norm and A-Tree are 
introduced which, respectively, associate a nnf to each A-tree and vice versa. In 
addition, it can be shown that this correspondence preserves equivalence and, 
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therefore, we can easily extend the concepts of validity and satisfiability to A- 
trees. 

We introduce the concept of restricted A-tree (generalizing the well-known 
concept of restricted cnf in which clauses with repeated or contradictory literals 
are not allowed and subsumed clauses are omitted), which involves only restricted 
clauses and cubes in the representation and, in addition, prohibits that a single 
literal is both an implicant and an implicate of the same subformula. 

Later, we introduce meaning-preserving transformations, with at most qua- 
dratic complexity, which eliminate the conclusive or simple nodes and usually 
reduces the size of the input A-tree. Roughly speaking, a conclusive node in a A- 
tree is one which can be substituted by a logical constant preserving the meaning 
of the whole tree, and a simple node in a A-tree satisfies that the subformula 
it represents is equivalent to a literal; thus, we introduce the so-called restric- 
ted A-tree, which generalized the concept of restricted cnf. In addition, several 
satisfiability-preserving transformations are presented with generalize the one 
literal rule and the pure literal rule from the clausal framework. Some of these 
transformations were introduced in [2], and described using the so-called A-sets. 
The fact that A-sets are no longer necessary when working with A-trees is extre- 
mely interesting when implementing the method, since the simple data structure 
of A-tree stores both the information about the structure of the formula and its 
associated A-sets. 

Finally, the last section includes some experimental results from an imple- 
mentation of the method described in [2] based on A-trees. 


2 Preliminary Concepts and Definitions 


Throughout the rest of the paper, we will work with a classical propositional lan- 
guage, £, over a denumerable set of propositional variables, V, and connectives 
{=,A,V}, the semantics for this language being the standard one. We will write 
A = B to denote that A and B are logically equivalent, and 2 — A to denote 
that A is a logical consequence of 2, that is, any model of 2 is a model of A. 
We will use the usual notions of literal (propositional variable or the negation 
of a propositional variable), clause (disjunction of literals), cube (conjunction of 
literals), and negation normal form (a formula in which the negations are only 
in the literals): 

In this paper, we will always use cubes and clauses ordered by the lexicogra- 
phic order in the set of literals, denoted V~. 


— A literal @ is an implicant of a formula A if @ & A. 
— A literal @ is an implicate of a formula A if AE @. 


We will use the standard notion of tree and address of a node in a tree [6]. 
An address 7 in the syntactic tree T4 of a formula A will also mean, when no 
confusion arises, the subformula of A corresponding to the node of address 7 in 
Ta; € will denote the address of the root node. 
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We will also use finite lists written in juxtaposition, with the standard no- 
tation, nil, for the empty list. If X and » are lists, 2 € A denotes that @ is 
an element of \; and A C \’ means that all elements of \ are elements of 2’. 
The conjugate of a literal @ is denoted as @, with the standard meaning, that is, 
p= 7p and =p = p. If A= 0,2... ln is a list of literals, then A=L6...on 


3 The A-Trees 


In this section we introduce the concept of A-tree as an alternative representation 
of nnfs: 


Definition 1 (A-tree). A A-tree T in L is a labeled tree in the set 
H = {[aJA | \ € List(V*) U{L}}uU {[@JA | A € List(V*) U{T}} 


inductively defined by the three properties below: 


1. The leaves in a A-tree are elements in H. 
2. Let Ti, ..., Tm be A-trees whose roots are [B)A1,---,[B]Am and [alA € H, 
then the tree 


is a (conjunctive) A-tree. 
3. Let Ti, ..., Tm be A-trees whose roots are [alAi,--+,[a]Am and [G]A € H, 
then the tree 


is a (disjunctive) A-tree. 


Every A-tree T can be interpreted as a propositional formula A in nnf. This 
interpretation also allows to identify the subtrees of T with subformulas of A. The 
idea is just to consider each a-node (resp. G-node) as a conjunction (resp. dis- 
junction) with the literals in \ as immediate successors in addition to the sub- 
formulas represented by its immediate successors, T;, in the A-tree; the nnf so 
obtained from a A-tree T will be denoted by Norm(T). In the case of an empty 
clause or an empty cube we have [a]nil = T and [G|nil = 1, that is why the 
definition does not include the cases [a]T and [G]L. 

We can go the other way round as well, and generate a A-tree representative 
for each nnf. But, in order to be able to generalize the reductions to the A-trees, 
we want to have more information than this in the lists A, we want to have 
the A-lists. In the next section we present a short summary of A-lists. These 
were firstly introduced in [1], and have been recently used in the development 
of a large set of reduction strategies for studying the satisfiability of non-clausal 
propositional formulas [2]. 
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3.1 A Short Review of A-Lists 


We associate to each nnf A a pair of lists of literals denoted Ag(A) and A;(A), 
the so-called associated A-lists of A. 

In a nutshell, Ap(A) and Aj(A) are, respectively, lists of implicates and 
implicants of A. 


Definition 2 (A-lists). Given a nnf A, Ao(A) and A,(A) are elements of 
List(V+)U{T, L} called A-lists associated with A, recursively defined as follows: 


Ao(é) = £ Ai (0) = 

Ao(l) = 1 ACh = aia 

Ao(T) =nil Ait 

a (A._.4') =|yi_,A0(4i) a (A;_.4') = (Vr 1(40) 
40 (Via) = (Ya olad 4a (VAs) =, Aol 


In the definition above there are two versions of the union operator, and 
this can be explained because of the intended interpretation of these sets and 
Theorem 1 below: 


1. Elements in Ap are considered to be conjunctively connected. Namely, if 2 
and @ € Ao(A), then Ao(A) simplifies to 1. This way, we obtain a set of 
implicates which can be thought of as a cube. 

2. Elements in A; are considered to be disjunctively connected. Namely, if @ 
and @ € Aj(A), then A;(A) simplifies to T. This way, we obtain a set of 
implicants which can be thought of as a clause. 


The next theorem states that elements of Ag(A) are implicates of A, and that 
elements of A;(A) are implicants of A. It follows easily by structural induction 
from the definition of A-lists. 


Theorem 1 ([2]). Let A be a nnf and ¢ be a literal in A then: 


1. If €€ Ap(A), then AE & and, equivalently, A= A A. 
2. If € € A,(A), then €E A and, equivalently, A= eV A. 


As an easy consequence of the previous theorem we get the following corollary, 
defining a meaning-preserving substitution for a formula A whose result contains 
only one occurrence of any literal in the A-lists of A. 


Corollary 1. Let A a nnf and é a literal in A. Then: 


1. If €€ Ao(A), then A= Ale/T,O/LI AL. 
2. If €€ Ax(A), then A= Ale/L,2/T] Ve. 


Remark 1. The substitution defined in the corollary above never increases the 
size of A; actually, the size is always decreased but in the following cases: 
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1. If A is a conjunctive formula such that @ € Ap(A), and there is only one 
occurrence of £. 

2. If A is a disjunctive formula such that @ € Aj(A), and there is only one 
occurrence of @. 


3.2 Back to the A-Trees 


Given a nnf A, the operator A-Tree generates a A-tree whose nodes are the 
A-lists associated to A. 


Definition 3 (Operator A-Tree). Let A be a nnf, we generate a A-tree by 
using the operator A-Tree, recursively defined as follows: 


1. Let A be a clause, A# L, then A-Tree(A) = [G]Ai(A). 

2. Let A be a non-literal cube such that A # T and A is not a literal, then 
A-Tree(A) = [a]Ao(A). 

3. Let A be a disjunctive nnf, and let A,,...,An, with n > 1, be the non-literal 
disjuncts of A, then 


[3] (A) 
A-Tree(A;) .... A-Tree(A,) 


A-Tree(A) = 
4. Let A be a conjunctive nnf, and let Ay,..., An, with n > 1, be the non-literal 


conjuncts of A, then 


[a] Ao(A) 
A-Tree(A;) .... A-Tree(A,) 


A-Tree(A) = 


Example 1. Consider A = ((pA(BV(qAT))) VaVr)A((BAQ)V (pAg))A(GAD) Vr), 
where every node 77 has associated the pair (Ag(7), Ai(7)) 


/\ (q,nil ) 
V (nil,gr ) V (q,nil ) V (nil,r ) 

A(pnil) @G rT A(pqnil) A(pqnil) A(pynil) 1 
AN SN SN SN 
p \ (nil,p) P 4q Pp 4q q P 

ve 

Dp  (qF,nil) 

LOX 
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For the formula A above we have that A-Tree(A) is: 


lalq 
[Glar [B]nil [G|r 
| ee | 
lalp lolpq = [alpq —[alpg 
[B\p 
| 
[alqr 


Note that for the previous example Norm(A-Tree(A)) is not equal to A, for a new 
literal g is attached as an immediate successor of the root node, making explicit 
that q is an implicate of the formula. Anyway, operators Norm and A-Tree are 
inverse, up to equivalence, as stated in the following result. 


Theorem 2. Let A be a nnf. Then A = Norm(A-Tree(A)). 


It is remarkable the idea that, in some sense, the structure of A-tree allows 
to substitute reasoning with literals by reasoning on clauses and cubes. 


4 Restricted A-Trees 


In this section, meaning-preserving transformations are introduced which allow 
to reduce the size of a A-tree and get a normal form for it. These transformations 
extend to A-trees the definitions of Ag-conclusive, A,-conclusive and ¢-simple 
given for nnfs in [2]. 


4.1 Subformulas Which Can Be Substituted by Constants 


The result of Corollary 1 is extended to A-trees, in that not only literals, but also 
subformulas can be substituted by the constants T or L. The operators ®; and 
#7 on A-trees reduce a A-tree by deleting its redundant nodes, that is, those 
nodes which can be substituted by logical constants in a meaning-preserving 
way. 


Definition 4 (0-conclusive node). Let 7 be a node of a A-tree T is said to 
be 0-conclusive if it satisfies any of the following conditions: 


— It is labeled with [a]L. 

— It is a monary node labeled with [G\nil. 

It is labeled with [a], it has an immediate successor [B]A 
and X’ CX. 

It is labeled with [a]A, its predecessor is labeled with [G]X’ and ANN #0. 


/ 


which is a leaf 


The operator ®, searches for and deletes the 0-conclusive nodes by applying 
the following steps: 
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— If n is labeled with [all andn 4 €, then ®, deletes 7. 

— If is a monary node labeled with [3)nil, then ®, deletes y and collapses 
its ancestors with its (only) succesor. 

— If n ts labeled with [a]A, it has an immediate successor [3A 
and N C2, then ©, substitutes n by af]. 

— If n is labeled with [a], its predecessor is labeled with [B|N and ANN £9, 
then ©, deletes . 


' which is a leaf 


Intuitively, the previous definition detects those nodes in the A-tree which, in 
some sense, can be substituted by L without affecting the meaning. The effective 
deletion of those nodes is made by an operator, ®,. 


Theorem 3. Let T be a A-tree, the operator ®, has quadratic complexity in the 
worst case, and ®,(T) has no 0-conclusive nodes and, in addition, T = ®, (T). 


The 1-conclusive nodes and the operator 7 are defined by duality, inter- 
changing a and #, and replacing L by T. 


4.2 Simple Leaves 


In order to get to a restricted A-tree it is also necessary to detect which leaves 
are redundant, in the sense that do not represent proper clauses or cubes, but 
literals. 


Definition 5 (Simple node). Let T be a non-leaf A-tree, and let 7 be a leaf in 
T. We say that n is simple if it is labeled with either [alé or [G\é, where 0 € V~. 


Theorem 4. Let T be a A-tree, then there exists an operator ®p, with linear 
complexity in the worst case, such that ®g(T) is a A-tree without simple leaves 
and, in addition, T = &;(T). 


4.3. Updated A-Trees 


A useful property of the operator A-Tree is that, given a nnf A, in A-Tree(A) 
the label of each [a] (resp. [G]) node is the Ap- (resp. Aj-)list associated to the 
subformula that it represents. However, this property need not hold when some 
transformation has already been applied on T’. 


Definition 6 (Updated node, updated tree). Let T be a A-tree, and let 7 
be a node of T that is neither a leaf nor the root. Let [O]X be the label of the pre- 
decessor of n, and let [O]A1,...,[O]An be the labels of its immediate successors. 
We say that 7 can be updated if it satisfies some of the next conditions: 


1. It is labeled with [O]nil O00 (Digs oy ak Coe 


2. It is labeled with [O|é for some ¢ € V* and satisfies both € € X and £ € 
(estoy ig 


We say that a tree T is updated if it has no nodes that can be updated. 
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In order to obtain an updated A-tree, we have to drive upwards all those 
literals that can be generated by intersections; this operation is done by the 
operator Update. 


Theorem 5. /f T is a A-tree, there exists an operator Update, with quadratic 
complexity in the worst case, such that Update(T) is updated and, in addition, 
Update(T) = T 


4.4 Restricted A-Trees 


Definition 7 (Restricted tree). Let T be a A-tree. If T is updated and it has 
neither 0-conclusive nodes nor 1-conclusive nodes nor simple leaves, then it is 
said to be restricted. 


The operators defined in the previous sections allow us to transform every 
A-tree in another equivalent and restricted one. 


Definition 8 (Operator Restrict). If T is a A-tree, Restrict traverses T 
and in every node it tests whether the node is 0-conclusive, or 1-conclusive, 


or a simple leaf, or a node that can be updated, and in this case applies the 
corresponding operator in {®,,&7, Bp, Update}. 

From Theorems 3-5 we immediately obtain the following result. 
Theorem 6. Let T be a A-tree, then Restrict(T) is restricted and, in addition, 
T = Restrict(T). 


Example 2. Given the formula A = (pVq)A(rVs)A((pAgq) Vp), whose associated 
A-tree is 


__fe 
[Slpq [G]rs — [B]p 


lalpq 
An application of the operator ®; (node 3 can be reduced) leads to 


[a]p 
mim Via 
[S]pq [S]rs [Sp 
Now, operator @, is applied to node 3, and we obtain 


[alp 
a Se 


[S|pq [Ars 
Finally, operator 7 can be applied again, for the occurrence of p in the root 
allows to reduce that in node 1, giving the restricted A-tree 


[a|p 
| 


[|rs 


which, using the operator Norm, leads to the formula p A (r V s). 
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5 Equisatisfiability of A-Trees 


In this section several satisfiability-preserving transformations are introduced 
which allow to reduce the size of a A-tree T. These transformations are called 
complete reduction, subreduction (reduction of A-subtrees) and a purity rule. 

Recall that the substitution of a logical constant for a literal @, denoted 
Al[e/T, 2/1], represents the formula obtained from A substituting all occurrences 
of @ by T, and all occurrences of @ by L. We extend this notion to A-trees using 
the definition below: 


Definition 9 (Substitutions on A-trees). Let T a A-tree, then T[l/T, 0/1] 
denotes the A-tree obtained traversing T and applying the following transforma- 
tions: 


— If € X and [B)X is the label of n 4 €, then the subtree rooted at n in T is 
deleted. 

— If €€ X and [a]d is the label of n # €, then the subtree rooted at n in T is 
deleted. 

— If€E€X and 

— If@ed and 

— If€E€X and 

— If@ed and 


X is the label of n in T, then @ is deleted from X. 
X is the label of n in T, then @ is deleted from X. 
A is the label of e, then Tlé/T Af) = =T. 
is the label of ¢, then T[€/T,@/L] = 


a 
p 
6 


Qa 


The following easy-to-prove lemma states that the definition we have just 
given coincides with the usual meaning of substitution in formulas. 


Lemma 1. Let T be a A-tree. Then Norm(T[é/T, @/L]) = Norm(T)[¢/T, 0/1]. 


Given a A-tree T and a set of literals I’, we will denote by T['/T,I°/1] the 
A-tree obtained by substituting all the literals of [’ by T, and their opposite 
by L. 


5.1 Complete Reduction 


The first satisfiability-preserving transformation we are introducing is called 
complete reduction, and can be seen as a generalization of the one literal rule 
in the Davis-Putnam algorithm for satisfiability. We first define what a comple- 
tely reducible A-tree is and, then, the corresponding theorem about complete 
reduction is stated. 


Definition 10 (Completely reducible A-tree). [fT is a A-tree and its root 
is [alA with XA nil, we say that T is completely reducible. 


Theorem 7. Let T be a completely reducible A-tree with root [a]X and let I” be 
the set {0; | 0; € A}. Then T is satisfiable iff TI’ /T,0/1] is satisfiable. Fur- 
thermore, if I is a model of T\['/T,I°/1], then any extension I' of I satisfying 
I'(€)=1(0) fl ET, and I'(€) =1 if ET, ts a model of T. 


188 Gloria Gutiérrez et al. 


5.2 Subreduction 


All the transformations performed by the operator Restrict only use the infor- 
mation of a node and its immediate succesors. The next transformation uses the 
information in a node to simplify all its descendants. 


Theorem 8. Let T be a A-tree and y a node of T. If [O]A is the label of n, 
£€X and there is an ancestor 1 of n verifying one of the following conditions 


1. [OX is the label of n', and LE N 
2. [O}X' is the label of n', and £€ 


Then the A-tree T’ obtained by deleting the subtree rooted at n in T is equivalent 
to T. 


It is important to notice that Norm(7) need not be equivalent to L or T 
(depending on Q), but the A-trees obtained after the substitution are equivalent. 

The next theorem states how a A-tree can be reduced when Theorem 8 
cannot be applied. 


Theorem 9. Let T be a A-tree and n a node of T. If [O]A is the label of n, 
€€2 and there is an ancestor 7 of n verifying one of the following conditions 


1. [O]X’ is the label of n’, and LE X’, or 
2. [OX is the label of ny’, and £€ x 


Then the A-tree T’ obtained by erasing the literal £ in X is equivalent to T. 


By using Theorems 8 and 9 we can define the operator SubReduce as follows: 


Definition 11 (Operator Subreduce). Let T be a A-tree, then SubReduce(T) 
is the A-tree obtained traversing T in a reverse depth-first order (from leaves 
to the root, and from right to left) and performing the transformations given by 
Theorems 8 and 9. 


The following theorem, a simple consequence of Theorems 8 and 9, states 
that SubReduce implements a meaning-preserving substitution. 


Theorem 10. Let T be a A-tree. Then SubReduce(T) = T. 


Note that for all literal ¢ in SubReduce(T), no occurrence of £ and @ appear in 
the scope of €. Therefore, only the relevant occurrences of literals are maintained 
after applying subreduction to a formula. 


5.3. Pure Literal 


The concept of pure literal for nnfs in [9] can be immediately extended for A- 
trees, by using Theorem 2. 

If Aisa nnf and ¢ is a pure literal, then A is satisfiable iff A[¢/T] is satisfiable. 
This result can also be extended for A-trees. 


A more general concept, that includes the previous one, is the concept of 
A-pure literal. 
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Definition 12. Let T a A-tree. We say that ¢ is a A-pure literal in T if, when 
traversing the A-tree in depth-first order, the first occurrence of either & or £ is 
£ in all the branches. 


Theorem 11. Let T a A-tree and ¢ a A-pure literal in T. Then T is satisfiable 
iff T[e/T, €/1] ts satisfiable. 


Example 3. Given the nnf A = (rV3)A (PV GQ A(DVS))V (FV (EV p)A (BV 
DIAGVsVr))) ACPA) V (pAS)) Ag) V8), the associated A-tree is 
[a]nil 
[B|rs [S\pq [Bls 
fa|nil [anil [alpq 
— eee | 
[Slpq_ [Gps [Slar [Blgrs [B]nil 
| ie 
[a|nil lalpr [alps 
i , 
[Slpq— [Blqs 
The operator SubReduce gives the A-tree 
[aJnil 
[rs [S|pq [B]s 
eae 
fa|nil [aJnil [alpq 
| eee | 
[B]s [sjr — [A]rs [G]nil 
| oe 
lolnat fajr — fajnil 
[S]s 


Now, the operator + deletes the subtree rooted at node 311 and the nodes 
2211 and 21 to obtain the A-tree: 


[aJnil 
[Ars \SIPas (Bls 
[ajnil [alpq 
ee 
[srs [G]rs 


Using the operator SubReduce we obtain the A-tree on the left and finally, 
@ + applied once again on node 21 gives the A-tree on the right: 
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[a]nil [ajnil 
er a ee T 
[A]rs (S|pas [5ls []rs [B]pqrs [5}s 
ce [olpq [a|pq 
[S]r 


Finally, + applied once again on node 21 gives the A-tree 
Using the operator Norm we obtain the formula (rV3)A(PVEVFV3)A((pAq) V8). 


6 Experimental Results 


We have written a straightforward implementation for the Macintosh port of 
the interpreter of Objective CAML (an ML-like functional language) in order 
to obtain a rapid prototype of a theorem prover. A-trees have been used to 
implement the reductions just described, together with a naive branching rule 
based on the Davis-Putnam procedure; namely, a formula A is splitted into two 
subformulas A[p/T] and Alp/1], where p is the first variable occurring in A. 

As our method is specially focused on non-cnf formulas we have run the 
prover, named TAS, on the IFIP benchmarks for hardware verification [3]. The 
results obtained, using a Power Macintosh G3 with 64 Mb of memory and 233 
Mhz, are compared with those obtained in [7], for he also uses there a reduction- 
like strategy (which he calls simplification), in his experiments he used a Sun 
SuperSPARK. In Table 1, we compare our implementation with the results ob- 
tained by Isabelle [8] (a well-known interactive prover, written in Standard ML) 
and Beatrix (a sicstus Prolog implementation in the spirit of lean tableau 
theorem proving). As several strategies were used in the cited work, in fairness 
to Isabelle and Beatrix, we compare our running time with their best absolute 
results no matter the strategy used. 


Table 1. TAS vs Beatrix and Isabelle. 


[Problem [babelle[Beatrix[ TAS [Problem|[sabelle[Beatra] TAS| 
x2 | 13] _0.0[ 0.00fmr | 130.9] 02] 007] 
feransp_| _02[ 0.0| 0.00]rap02_| 16] 0.0] 0.08 


isc | 98| 0.6] 005]ripoa_| 9945] _0.5[ 0.38 
counter | O8.8[01[ Otalfrap06 | __-| 80] 275] 
fhostinei| 06.5[ 02] 0.10|frapos_[ ___-|_182[77.18| 


It is important to remark that the results obtained are by far much better 
than those of Isabelle, showing that not only the scaling factor in problems such 
as ripOn can be reduced but also that absolute run time values are comparable to 
those obtained by Beatrix, which shortens the gap between lean theorem proving 
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in Prolog and standard theorem proving in ML-like languages. In Table 2 some 


more results are compared with the run time of Beatrix, where an important 
speed-up when using TAS can be noticed. 


Table 2. Run time (seconds) on other IFIP benchmarks. 


Problem  |Beatrix] TAS |/Problem|Beatrix}| TAS ||Problem |Beatrix] TAS 
d3 (satisf.) 0.1) 0.17||dk17 3.0} 0.38]}sqn 11.2} 0.43 
misg 0.7} 0.35)]/z5xp1 4.1} 0.38]/add1 12.2} 1.20 
0.80}|£51m 5.7] 0.48]|dc2 12.5] 0.40 
mp2d 1.1] 1.03}|pitch 5.7] 2.55]|mu103 20.1} 1.03 
dk27 2.2| 0.07||vg2 7.0} 2.82||rd73 30.4} 1.27 
z4 2.3} 1.53}/alu 7.1] 3.98]|root 33.7| 0.67 
rom2 2.5} 3.03]/x1dn 7.2} 3.37|/alupla20} 618.1] 31.72 
2.72||z9sym 9.8} 4.07 


To make the comparison more interesting we also chose to run TAS on the 
Random 3-Sat benchmark, although TAS has not been neither designed nor 
optimised for cnf formulas. Table 3 shows the results for the standard random 
distribution of 3-SAT, where 3_sat(V,C) means that samples had C' clauses, 
with 3 literals selected uniformly among V variables and each literal negated 
with probability 0.5. 

We show our results together with the results of two different flavours of Bea- 
trix, the ‘standard’ one (in which the usual (-rule is used) and the ‘lemmaizing’ 
version (an asymmetric rule for a limited form of cut). 


S, 1 S, Be S, 1 S, Bi, Bo 2 


One can easily see that, although our implementation has been run on a in- 
terpreter (as far as we know no compiler for CAML is still available for Macs) 
the performance of TAS is in between the two flavours of Beatrix. The speedup 
factor of TAS w.r.t. the standard version of Beatrix is about 2 for formulas with 
32 variables and about 3.5 for formulas with 64 variables, whereas the better 
performance of the lemmaizing version of Beatrix averages 1.63 for 32 variables 
and 2.72 for 64 variables. 

These results are neither surprising, for the standard version of Beatrix is 
just a tableau system improved with a particular case of our reductions, nor 
discouraging, for the branching rule we have implemented is just a raw DPLL- 
like procedure. 

It is worth to note that, although the computational pay-off of the reductions 
implemented in TAS results in poor runtimes for the formulas in the first row of 
the table, the negative effect disappears as the size of the formulas is increased. 
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Beatrix ]BesLem|] TAS Beat 
03[__ 02] 0.80 |ssat64, 192] 14 
39[__1.3| 207][s.sat(64,256)| 334.6 


5543 
508.6 
5_[asat(o2,19)[ 77] 26] 371]S-sar(64,36a)] 2103 
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Table 3. TAS vs Beatrix on Random 3-SAT. 


Conclusions 


We have introduced A-trees for propositional formulas. This representation al- 
lows a compact representation for well-formed formulas as well as for a number 
of reduction strategies in order to consider only those occurrences of literals 
which are relevant for the satisfiability of the input formula. It is important 
to notice that this structure can be also extended to other non-classical logics 
where the TAS methodology works. Finally, the reduction strategies have been 
implemented and tests are reported which show the relative good performance 
of our implementation of the techniques introduced. 
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Abstract. In this paper we integrate a sorted unification calculus into 
free variable tableau methods for logics with term declarations. The cal- 
culus we define is used to close a tableau at once, unifying a set of 
equations derived from pairs of potentially complementary literals oc- 
curring in its branches. Apart from making the deduction system sound 
and complete, the calculus is terminating and so, it can be used as a 
decision procedure. In this sense we have separated the complexity of 
sorts from the undecidability of first order logic. 


1 Introduction 


In the context of logical systems, sorts are widely accepted as a means of increas- 
ing efficiency, reducing the search space, and allowing more natural representa- 
tions. Two main approaches have been followed in the incorporation of sorts to 
logics. Usually, sorts behave statically when sorts properties -sort hierarchies and 
sort declarations for operations- are fixed in the signature [1,14,13]. 

On the other hand, for the purpose of natural language understanding it 
results interesting to design inference systems which are capable of deducing 
taxonomic information, that is, the reasoning process may actually alter the sorts 
properties such as hierarchies [8]. In this sense, sorts behave dynamically when 
the information about sorts and individuals co-exists within the same formal 
framework [5,6]. The greatest expressivity is achieved when the sort declarations 
of operations are expressed by means of a new formula constructor. Thus the so 
called logics with term declarations [15] arise as logical systems including, in a 
single formalism, a classical many sorted logic together with all the information 
it entails (relations between sorts and sort declarations for function symbols). 

This paper follows a research line involved in the construction of tableau 
methods for logics with term declarations [7,10,11]. Instead of defining new in- 
ference rules, we separate sorts from first order logic using a sorted unification 
calculus. The calculus is required to unify a set of equations derived from pairs of 
potentially complementary literals occurring in the branches of a tableau. Free 
variables present two difficulties to be considered when designing the sorted cal- 
culus. Firstly, variables are attached to sorts restricting their domain [15,5,6], 
so we can only apply substitutions that are well-sorted. This means that the 
(static) sort of every substituted variable and the (dynamic) sort of the respec- 
tive substituting term must be the same. Second, free variables behave rigidly 
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and so they can only be instanced once [3]. Then we have to consider the sort 
information occurring in the whole tableau even when closing a single branch. 

In this paper, we improve our previous results with a calculus that fulfills the 
following properties: 

1. It is simultaneous, so a tableau can be (globally) closed at once. As we 
will see, the search space can be more efficiently pruned when we consider all 
the branches at the same time. 

2. It is quite simple. It suitably combines a standard unification procedure 
and just four sorted rules (two symmetric non-failure rules and their failure 
versions). Moreover, the applicability conditions of the rules are quite simple. 

3. It is terminating, then we have separated the complexity of sorts away 
from the undecidability of first order logic. Then, the calculus can be used as a 
decision procedure because it is enough to traverse a finite search space. Moreover 
termination allows more elegant soundness and completeness proofs. 

The paper is organized as follows. Section 2 presents the Logic with Term 
Declarations and some results about its ground tableau methods. In Section 3 we 
introduce free variable tableaux and the notion of rigid sorted unification (RSU) 
problem. Section 4 presents a calculus for solving these RSU-problems and its 
main properties; it is extended to a global version for solving simultaneous rigid 
sorted unification (SRSU)-problems in Section 5. Section 6 integrates this last 
calculus into a new free variable tableau system. We finish with a discussion of 
the achieved results. Due to lack of space most of the proofs have been omitted. 
They can be found in [9] 


2 The Logic with Term Declarations LTD 


LTD extends the ordinary first-order predicate logic by introducing a new for- 
mula constructor t € s (called term declaration) which expresses that the term 
t has sort s. In LTD operations have no static sort, then, a LTD-signature 2’ 
consists of a finite set S of sorts s, and unsorted sets C, F and P of constant, 
function and predicate symbols respectively, the last ones of elements with arity. 
Only variables are attached to a fixed sort; they belong to one of the countable 
sets of the sorted family X = (X*)seg. 

The sets of Y-terms T(+’) and 2’-formulas F'(5’) are defined as in first-order 
logic, but including term declarations. For example, Vx*(a* € s’) is a formula 
expressing that the sort s is a subsort of s’, while Va*(f(a*) € s’) expresses 
that the range of the function f in the s-domain is a set of s’-elements. A set 
of formulas L£ is called a €-theory, or simply a theory, if it is composed of term 
declarations. Substitutions are finite replacements of variables for terms, written 
in the form [ty /a}',...,tn/air]. 

A S-structure D in LTD is a total domain D containing a family of domains 
{D*® | s € S}, and sets of interpretations {e? € D|c € C},{f? : D” = D | 
f" € F}, {P? : D” = {t, f} | P” © P}, for symbols of Y. Considering that we 
do not have sort declarations in the signature, domains can possibly be empty; 
it is only known that J) D® C D. 
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A valuation for D is a sorted family p = (p*)ses of finite mappings p* 
X* — D*® of the form [p°(27)/x7,..., 0° (a%,)/x%]; dom(p*®) = {af,..., 2%} is 
the domain of p*, and dom(p) = U,eg dom(p*) is the domain of p. Note that 
dom(p*) = 0 if D’ = 0. As usual, p[d/x*] will denote the valuation that assigns 
d to x* and behaves as p elsewhere. 

The semantic value [f]? of a term t in a X-interpretation (D, p) is defined 
as usual and it exists whenever var(t) C dom(p). The boolean value [y]) of 
a formula y in (D,p) exists if free(y) C dom(p) and it is defined as usual for 
first-order formulas, except for: 

t if [Al ia/xs] = t, for all d € D® 


= Sp]P — 

Wel, = { f otherwise. 
aa é ; Bo D 

_ [xy]? = t if oe exists d € D* such that [9] 5147.5) 
f otherwise. 


t if [t]> € D® 
— fee sl, a f otherwise. 


=e 


In the sequel when we write [#]? (resp. [y]?), we assume var(t) C dom(p) 
(free(y) C dom(p)), which trivially holds for ground terms (sentences). 

Next we outline a ground tableau method for LTD. The completeness proof 
of the free variable tableau versions we present will be based on lifting the 
completeness of the ground method. Suppose that »’ has been extended to a 
signature ©, with a countable set of new constants. The rules a and (3 are 
defined as in classical first-order tableaux [4]. For y and 6 rules we define: 


Vary dat yp 
7) tes ) ‘yle/x*) 
glt/x*] ces 


In 7, tis a ground term; in 6, cis anew constant not occurring in the branch. Note 
how the sort information is managed dynamically in LTD, and term declarations 
are used (t € s) or introduced (c € s) in the branch expansion. 


Definition 1 A branch B of a tableau is closed if an atomic contradiction yp and 
ay (y atomic) appears in B. A tableau is closed if all its branches are closed. 


Theorem 2 (Soundness and Completeness) /7/ Given a set of 3'-sentences 
®, ® has a closed tableau if and only if ® is not satisfiable. 


Example 3 Let »’ be a signature composed of the sorts s,s’, the constant a, the 
unary function symbol f and the binary predicate symbol P. In order to have 
a more pleasant and direct understanding of the following sentences, we would 
like to refer to sort s as representing human beings, s’ as kind people, f(O) as 
giving the father of 0, and P(O,) as expressing that O gets along with ©. 
Suppose that 1: a is a human being (a € s), 2: which does not get along with 
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its father (-P(a, f(a))), 3: every kind human being gets along with everybody 
(Va8(a* € 8’ — Vy*P(a*,y%))) and 4: the father of every human being is a 
human being (Va* f(x*) € s). Then it is obvious, as the following closed ground 
tableau shows, that 5: some human beings are not kind (Axr*(72* € s’)). 


5: Vas(x* € 8’) 

vy to1,5 
6:a€s' 

vy to1,3 


7T:a€s' + Vy*(P(a,y*)) 


ee a oe Bto7 


8:74 € s! 9: Vy*(P(a,y*)) 
closed by 6, 8 | ytol,4 
10: f(a)es 
| + to 10,9 


11: P(a, f(a)) 
closed by 2, 11 


LTD is not more expressive than first order logic (sorts can be expressed as 
unary predicates [16]), but it allows more pleasant representations and deduc- 
tions. In the example above, the formalization and the tableau can be expressed 
in first order logic, but at the cost of: (1) using more complex formulas (e.g. 
formula 3 would be transformed into Vx(S(x) — ($’(x) — Vy(S(y) — P(a,y)))) 
that produces more branches to be closed) and (2) decreasing the efficiency be- 
cause we loose the sort information in the y-applications (e.g. « in the previous 
formula could be instanced to the term f(f(f(a)))). 

Even if we used static ordered sorts, the formalization of x* € s’ would need 
the sort ss’, making the signature dependent on the problem. Furthermore 
we can consider a different sort hierarchy in each branch of the tableau. In this 
sense, term declarations improve static ordered sorts as well. 


3 Free Variable Tableaux 


Now we will assume that the extended signature ¥ also contains a countable set 
of new function symbols. The free variable tableau method defines the following 
new rules for quantifications: 


Vex8 : da*p 
a i) Of@t,... a) /2"] 


i ely? /2*| f(ay,..., v8") es 
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In 7’, y* is a new variable in the tableau; in 6’, f is a new function symbol 
applied to the free variables occurring in the branch. 

Obviously, free variables of a tableau may be substituted. As variables are 
sorted, the application of a substitution is sound in those contexts which ensure 
that the sort of every substituted variable is preserved. In LTD, theories play 
the role of these syntactic contexts. 


Definition 4 (Well-Sorted Substitution) A substitution [t1/ax7',...,tn/x3"| 
is well-sorted w.r.t. a theory L, if (ti € 8:) € L,1<i<n. A substitution r 
is well-sorted w.r.t. a tableau T with branches By,..., By, if the restriction of 
T to the free variables of B;, that is T| free(p,), 18 well-sorted w.r.t. the theory 
included in B;, 1 <i<n. 


Well-sorted substitutions can be safely applied to free variable tableaux. De- 
note by S1 the tableau system composed of a, 3, y',6’ and the substitutivity 
rule sub defined by: 


sub) IfT is a free variable tableau and Tt is an idempotent substitution well-sorted 
w.r.t. T then Tr is a free variable tableau 


The concepts of closed branch and closed tableau are defined as in Definition 
1. Then we can prove the soundness and completeness of S1; these proofs are very 
similar to those presented in [10] (see this paper for more explanations about the 
importance of idempotency in the rule sub and how to overcome empty domains 
-due to empty domains, soundness and completeness of S1 are not stated as 
symmetric results; other approaches about how to overcome the problems of 
empty domains can be found in [2,16]). 


Theorem 5 (Soundness of S1) Given a set of X'-sentences ®, if & has a 
closed free variable tableau then © is not satisfiable in structures with non-empty 
domains, for every sort. 


Theorem 6 (Completeness of S1) Given a set of S'-sentences ®, if ® is not 
satisfiable then ® has a closed free variable tableau. 


As in classical first-order tableaux [4], improving ground tableaux involves 
to restrict the application of the rule sub and use it only for closing branches. 
This results in the integration of a unification calculus which finds well-sorted 
unifiers for potentially complementary literals occurring in a branch. However, 
in order to perform a complete deduction system, unifiers must be structured in 
a particular form, as the following example shows. 


Example 7 Let T be the closed ground sketch of tableau presented below on the 
left and T’ be the free variable tableau built as T on the right. 
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aes aes 
7P(a) 7P(a) 
Va* (a* € 8‘) Va* (a € 8‘) 
Vue P(u ‘) Vue P(u ‘) 
aces zt es! 
P(a) P(u*') 


T' should be closed by solving the unification problem ue ra corresponding to 
the single branch of T’; however this problem cannot be solved by any well-sorted 
substitution w.r.t. the theory presented in the branch {a € s,x* € s’}. Neverthe- 
less there is a sequence of unitary idempotent substitutions o = [a*/u* |[a/2°}, 
relating both tableaux, which is gradually well-sorted, in the sense that each uni- 
tary component is well-sorted after the application of the preceding ones in the 
sequence. So o can be applied to T' using the rule sub twice. The sequence o 
emphasizes the idea of an existing order in the application of the rule sub to T’, 
corresponding to the order of y-applications to T. 


Therefore we will define a unification calculus lifting any closed ground 
tableau to a closed free variable one, by deriving a sequence of well-sorted unitary 
substitutions. Previously we define a concept of triangularity which captures the 
order of y-applications to ground tableaux; then we adapt the notion of well- 
sortedness to sequences. 


Definition 8 A sequence of unitary substitutions [t1/11°!]...[tr/an°”] ts tri- 
angular if it satisfies: 

1. var(ti) N {a1"',...,0}=O0,1<i<n 

2.4; #%j;,1<i<j<n. 


Definition 9 Let 0 = 01...0n, £ and T be a triangular sequence of unitary 
substitutions, a theory and a free variable tableau, respectively. We say that o 
is well-sorted w.r.t. L (resp. T), if o; is well-sorted w.r.t. Loy ...o;-1 (resp. 
To...o;-1), 1l<i<n. 


Note that well-sorted sequences w.r.t. tableaux can be soundly applied us- 
ing the rule sub, by gradually applying each of its unitary components. So, in 
Example 7, [a*/u* |[a/2*] is well-sorted w.r.t. T’ and can be used to close it. Con- 
sequently we must design a calculus that obtains well-sorted sequences instead 
of a unique idempotent well-sorted substitution. 
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4 Rigid Sorted Unification 


In this section we present how to solve unification problems arising when closing 
a single branch. Specifically, a Rigid Sorted Unification (shortly RSU-)problem 
has the following structure: 

Given a finite theory L and a finite set of equations I, is there a well-sorted 
sequence of unitary substitutions w.r.t. £L that unifies ['? 


For solving RSU-problems, we define the unification calculus C. The non- 
failure rules of C have the form 


TI oy...0n 
I” o1...0n0' 


where II” are sets of (oriented) equations and o1...0n, 01...0no’ are se- 
quences of unitary substitutions. C is composed of ten rules: six standard rules for 
syntactic unification (tautology, decomposition, orientation, application, clash 
and cycle [16]) plus the following four ones: 


The Sorted Rules of C 


(LW) Left Weakening 

if (t € s) € Loy...o, and «* ¢ var(t) 
(RW) Right Weakening 

if (t € s) € Loy...o, and «* ¢ var(t) 


(F WF) Functional Weakening Failure PSM styl FO on 
if there is no formula t € s in Loj...o, such that 7° ¢ var(t) ; 
(VWF) Variable Weakening Failure tn 
if there is no formula t € s in £oj...0, such that 2° ¢ var(t), nor t € s’ such 
that y* ¢ var(t) 


When solving RSU-problems, the application of standard rules has always 
preference. Furthermore we assume that there exists a terminating algorithm A 
for syntactic unification, transforming a set of equations I’ into Fail or a solved 
set of equations, by the non-deterministic application of the six standard rules. 
In this sense, the algorithm A behaves as a black box and we do not take care of 
the non-determinism its rules entail. Incorporating auxiliary calculi for solving 
some well-stated problems has been used in many other areas [3,12]. 


Definition 10 Let I’ be a set of equations and o = 0j1...0n a sequence of 
unitary substitutions. One C-standard step is the application of the algorithm A 
to the pair (I, 0) until Fail or a solved set of equations I’ is reached. One C-sorted 
step is the application of a sorted rule to the pair (I’,a) using a theory. One C-step 
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is one C-standard or C-sorted step. We write (I,01...0n) ke (",01...OnOn’) 
(n’ € {n,n + 1}) (resp. ([,01...0n) Fe Fail) to express one non-failure (resp. 
failure) C-step. 

We say that the calculus C unifies a set of equations I’ w.r.t. a theory £L by 
the sequence of unitary substitutions 01...0n, OF 01...0n is a C-unifier for I 
w.r.t. L, if there exists a chain of C-steps, alternating C-standard and C-sorted 
steps, starting with (0) and finishing with (O,01...0n). 


Note that C-standard steps do not append elements to the sequence of unitary 
substitutions, and they can possibly be empty if the set of equations is still in 
solved form after one C-sorted step. Note also that C-sorted steps are always 
applied to sets of equations in solved form. 

The computation of a solution to a RSU-problem can be viewed as the search 
for C-unifiers in a C-derivation tree: nodes are either pairs (Ic) or failure 
leaves Fail, and branches alternate C-standard and C-sorted steps. Branching 
in a node only occurs due to (explicit) non-determinism in C-sorted steps; the 
non-determinism derived from syntactic unification is implicit in the algorithm 
A. Leaves are either successful pairs (0,0) or failure leaves Fail. As we will see, 
a failure node after one C-standard step allows to cut the branch expansion of 
that node, while after one C-sorted step, allows to cut the branch expansion of 
its parent. 


Example 11 Suppose £L = {a s,y° € 5,2" € 8,b sk andl = {f(a*) & 
f(b)}. The C-derivation tree for this RSU-problem is: 


(f(@*) = £(8), 9) 
| C-standard step 


(x* ~ b, O) 
LW eo Re 
oO UW 
(ab, [a/2x*)) (2° =, [2° /w*]) (y® ~, [ye /x*]) 
C-standard step | C-standard step | C-standard step 
Fail (28 ~b, [28 /es]) (ys) ~b, [y® /x°]) 
FWF | LW 
Fail (b=, [y® /e*][b/y* J) 


C-standard step 
(0, [y* /e*]lb/y*']) 


The first branch finishes in a failure node after one C-standard step, and the 
second one, after one C-sorted step. The third branch obtains the unique C-unifier 


[y* /2*][b/y"). 
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4.1 Properties of the Calculus C 


First we show that the unification calculus C is terminating for every RSU- 
problem. 


Theorem 12 (Termination) The C-derivation tree of every RSU-problem is 
finite. 


The calculus C is sound in the sense that given a set of equations I’ and a 
theory £, every C-unifier is a solution to the corresponding RSU-problem. 


Theorem 13 (Soundness) Let I, £ ando be a set of equations, a theory and 
a sequence of unitary substitutions, respectively. IfC unifies I w.r.t. £L by o then: 
(i) o is well-sorted w.r.t. £L 
(ti) o unifies I. 


The completeness of C should read as follows: if there is a well-sorted sequence 
of unitary substitutions o w.r.t. £ unifying I then C unifies  w.r.t. £ by a 
sequence 7 which is more general than o*. But we are only interested in lifting a 
particular class of sequences of unitary substitutions, those sequences o derived 
from a closed ground tableau T in the following way. Let J’ be a free variable 
tableau built as T, then o is obtained by appending unitary substitutions to the 
sequence which correspond to the y-applications to T; that is, if Va*y and t € s 
is used in T then we add [t’/x*] to the beginning of the current 0, where t’ € s 
is the term declaration associated to t € s occurring in TJ’. In Example 7, we 
would obtain {2*/u* |[a/x*]. These sequences are ground and can be captured 
by the concept of hyperwell-sortedness. Only hyperwell-sorted sequences will be 
considered in the completeness of C. 


Definition 14 A triangular sequence of unitary substitutions [t)/x1°*"]...[tn/ 
Ln°"] is hyperwell-sorted w.r.t. a theory L, if (t; € 8;) €L,1<ic<n. 


In a hyperwell-sorted sequence, the order of the substitutions is not relevant 
because the declaration of the replaced term explicitly appears in the theory. It is 
immediate that every hyperwell-sorted sequence is also well-sorted; the inverse is 
not true, for example [a/2*][a/u* | is well-sorted but not hyperwell-sorted w.r.t. 
the theory {a € s,x° € s’}. 

For proving completeness, we examine the standard and the sorted case. For 
the former, we suppose that the algorithm A for syntactic unification is complete, 
so it fails whenever the given set of equations is not syntactically unifiable, and 
it succeeds giving a solved set of equations, otherwise. For the latter, we prove 
the following results. First the next technical lemma states that extracting and 
moving a unitary component through a sequence, from its place to the beginning, 
preserves hyperwell-sortedness and does not change the substitution. 


* Sequences of unitary substitutions are compared through the respective substitutions 
resulting from composing their unitary components. 
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Lemma 15 Leto1...0n be a sequence such that o; = [ti/xj'], 1<i<n. Fora 
fixed m € {1,...,n} we define of = [tiltm/x8”]/x;'], 1<t<m-1. Ifo....on 
is hyperwell-sorted w.r.t. a theory £L then: 

1. 04.-.0), 10m41---On is hyperwell-sorted w.r.t. Lom 

2. OmO1 ++ 1 Om41---On =O1--- On. 


The next two lemmas prove completeness of the sorted case. If a set of equa- 
tions is unifiable by a hyperwell-sorted sequence then one non-failure C-sorted 
step can be taken because we can extract a unitary component from the sequence, 
as in Lemma 15. This step is always feasible since in a hyperwell-sorted sequence 
the declaration of every replaced term explicitly appears in the theory, wherever 
it occurs in the sequence. Conversely, if one failure C-sorted step proceeds then 
the set of equations is not unifiable by any hyperwell-sorted sequence. 


Lemma 16 (Sorted Completeness) Let I and £ be a solved non-empty set 
of equations and a theory, respectively. Let T = T,...T be a hyperwell-sorted 
sequence w.r.t. L that unifies [. Then there exists a set of equations I’ and a 
unitary substitution o such that (I,0) ke (I’,c). Moreover there exists another 
hyperwell-sorted sequence 6,...0, w.r.t. La unifying I’. 


Lemma 17 (Sorted Failure) Let I and £ be a solved set of equations and a 
theory, respectively. If (0) +e Fail after one C-sorted step then there is not a 
well-sorted, therefore neither hyperwell-sorted, sequence w.r.t. L unifying I. 


Theorem 18 (Completeness). Let I and CL be a set of equations and a theory, 
respectively. Let 01...0n be a hyperwell-sorted sequence w.r.t. L unifying I. 
Then there exists a C-unifier for I w.r.t. L£. 


Then we can solve a given RSU-problem by examining its C-derivation tree. 
Corollary 19 The RSU-problem is decidable. 


Proof. Given a RSU-problem and its associated C-derivation tree: 

(i) answer yes whenever there is a successful leaf. This answer is correct by 
Theorem 13, 

(it) answer no whenever every branch ends in a failure node. In this case there 
is no hyperwell-sorted sequence w.r.t. the theory, by Theorem 18. Although the 
notions of hyperwell-sortedness and well-sortedness are not equal, this answer 
is correct because their mutual existence is equivalent, as the following result 
proves. | 


Theorem 20 There exists a hyperwell-sorted sequence w.r.t. L unifying I if 
and only if there exists a well-sorted sequence w.r.t. L unifying I’. 
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5 Simultaneous Rigid Sorted Unification 


In the sequel, J is a free variable tableau with branches B,,..., Bm. 

Rigid sorted unification can be introduced in a tableau system in two differ- 
ent ways. In a first approach, we can use the calculus C to close only a single 
branch each time; this approach, followed in [10] but using a non-terminating 
variant of the calculus C, presents a clear disadvantage. The point is that well- 
sortedness w.r.t a branch is not equivalent to well-sortedness w.r.t. the whole 
tableau, because free variables can occur repeated in different branches. In fact, 
not every local well-sorted unifier (w.r.t. the theory included in the branch to 
be closed) is well-sorted w.r.t. JT, so an extra test is needed to check that the 
obtained local C-unifier is applicable to (well-sorted w.r.t.) T. Observe that this 
test can only fail or succeed after the local C-unifier has been totally built. 

In a second approach, we can try to close the whole tableau in a single 
step, looking for a simultaneous well-sorted unifier. In this setting, we try to 
unify a set of equations composed of one pair of potentially complementary 
literals from each branch of JT. A simultaneous calculus avoids the disadvantage 
of the local calculus because it considers all the branches at once; so it implicitly 
incorporates the previous extra test every time the sequence is extended. In this 
sense, a simultaneous calculus prunes the search space more than a local calculus, 
because it does not extend wrong sequences that are not going to become well- 
sorted w.r.t. the whole tableau. 

Following this approach, the Simultaneous Rigid Sorted Unification (shortly 
SRSU)-problem arises: 


Given a free variable tableau T and a finite set of equations I’, is there a well- 
sorted sequence w.r.t. T that unifies I’? 


For solving SRSU-problems, we define the calculus D. It is a natural extension 
of C, in the sense that it takes care of all the branches of J when a new unitary 
substitution is added to the sequence. The calculus D is composed of the six 
standard rules for syntactic unification and the natural extension of the previous 
C-sorted rules. For example: 

; ret, DT oy...0n 
(LW) Left Weakening SEPP waco 


if «° ¢ var(t) and for each B, (x* € free(Bjo1...o,) > (t € s) € Byon...on) 


D is used similarly to C, that is alternating standard and sorted steps until the 
set of equations to be unified is empty. Then the notions of D-step (standard or 
sorted), D-unifier and D-derivation tree can be defined as we did in the previous 
section, but using a free variable tableau instead of a single theory. Moreover we 
can prove that the calculus D satisfies the same properties. 


Theorem 21 (Termination) The D-derivation tree of every SRSU-problem is 
finite. 
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The calculus D only builds well-sorted sequences w.r.t. a free variable tableau 
T that unify the initial set of equations [’. Hence, we can answer yes to the 
corresponding SRSU-problem, whenever a D-unifier exists. 


Theorem 22 (Soundness) Let I,T ando be a set of equations, a free variable 
tableau and a sequence of unitary substitutions, respectively. If D unifies I’ w.r.t. 
T byo then: 

(i) o is well-sorted w.r.t. T 

(ti) o unifies I. 


As in the previous section, in a tableau system we are not interested in 
any sequence that can be inferred from a closed ground tableau. To this end 
hyperwell-sortedness is extended to tableaux and the completeness theorem is 
stated. 


Definition 23 A triangular sequence of substitutions [t,/x}"]...[tn/axsn] is 
hyperwell-sorted w.r.t. a free variable tableau T, if x;' © free(B) = > (ti € 
si) € B,1<i<n, for every branch B. 


Theorem 24 (Completeness) Let [ and T be a set of equations and a free 
variable tableau, respectively. Let 0,...0n, be a hyperwell-sorted sequence w.r.t. 
T unifying I’. Then there exists a D-unifier for I w.r.t. T. 


It is important to note that we can not solve a given SRSU-problem by 
examining the associated finite D-derivation tree (cfr. Corollary 19) because a 
similar result to Theorem 20 does not always hold for the simultaneous case, as 
the next example shows. 


Example 25 Let T be the sketch of a free variable tableau below. The sequence 
[a/z* ][a/x*] is well-sorted w.r.t. T and unifies {a ~ a}, so [a/z* ][a/a*] is 
a solution to the related SRSU-problem and T could be closed. However it does 
not correspond to a closed ground tableau; in fact, there is not a hyperwell-sorted 
sequence, nor a D-unifier neither, because, in the first branch, x* had to be bound 
to the constant a while, in the second one, to z* . 


aP(a) 
Va*( (ae sAP(x*)) V (W2"(2" Es) Aa €5'A P(x®)) ) 


aes a€és! 
| | 
P(z*) P(x*) 
| 
Veo 28 Es 
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This example has two consequences. On one hand, the calculus D does not 
completely solve the SRSU-problem, although the completeness of the tableau 
system will not be affected. On the other hand, the decidability of the SRSU- 
problem remains open. 


6 Free Variable Tableaux with Simultaneous Rigid Sorted 
Unification 


Now we use the calculus D for defining the tableau system S2 which is composed 
of the rules a, 3,7, 6’ and the new closure rule: 


(SRSU-Closure Rule) A free variable tableau T with branches By,...,Bm is 
closed if there exist a set of equations I = {Ly ~ Li,...,Im ~ L',}, where 
L, ~ Li corresponds to a pair of potentially complementary literals occurring in 
B,, and a D-unifier w.r.t. T unifying 


We use the system S2 for building closed tableaux as follows: 
1. Expand non-deterministically the tableau, using the rules a, 3,7’, 6’. 


2. Define a set of equations I’ by selecting one pair of potentially comple- 
mentary literals from every branch of the current tableau. Build the finite D- 
derivation tree for I’ w.r.t. the current tableau. If a D-unifier exists then the 
tableau is closed, using the SRSU-closure rule; otherwise, try with another set 
of equations, if there exists another choice, or go back to 1. 


Observe that the unique step taking sorts into account (step 2) always fin- 
ishes -it can be seen as a decision procedure. Therefore we have separated the 
complexity of sorts away from the undecidability of first order logic. 


Theorem 26 (Soundness of S2) For every set of ’-sentences ®, if ® has a 
closed free variable tableau then © is not satisfiable in structures with non-empty 
domains, for every sort. 


Theorem 27 (Completeness of S2) For every set of X’-sentences ®, if B is 
not satisfiable then ® has a closed free variable tableau. 


Example 28 We use the system S2 to solve the problem of Example 3. First 
we apply rules y and G@ to build the free variable tableau T : 
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5: Vars(xs € s') 
| yto5 
6:2r°€s! 
| yto3 


7:28 €s8' + Vys(P(z,y%)) 


gee ae Bto7 


8:28 Es! 9: Vy*(P(2*,y*)) 
| yto4 

10: f(y) Es 
| yto9 

11: P(z’,us) 


Second we use the calculus D to unify the set of equations [ = {z°§ ~ a8, 2° ~ 
a,u® ~ f(a)} wrt. T. Observe that D has to succeed because I is unified by 
the hyperwell-sorted sequence [f(y*)/u*][a/y*][a/z*]|a/x*] (this is the sequence 
that relates T to the ground tableau of Example 3). Next we show a successful 
D-derivation for I w.r.t. T: 


{zi ~avt,z§ ~a,ue ~ f(a)} 


LW afz°] 
farvr’,ara,u® ~ f(a)} 
{x? ~a,ue ~ f(a)} ase’ 
LW i  — [a/2*][a/x*] 
{us ~ f(a)} ” ee 
LW Uw) = fa) [a/z*][a/e][f(y*)/u%] 
pw Se} a pestta/o IL") /u'llal 
{a~ a} 
) 


Let us compare the simultaneous calculus D w.r.t. a local approach (cfr. be- 
ginning of Section 5) consisting of a) the local calculus C applied to each branch 
independently and b) a test for checking whether a C-unifier is a well-sorted 
sequence w.r.t. the whole tableau T. Then we must solve the following two prob- 
lems: 

1) {z° ~ 2°} w.r.t. the theory {a € s,r° € s'} 

2) {zi ~a,u* ~ f(a)} wrt. the theory {a € s,2° € 8’, f(y*) € s} 
In the second problem, we can apply the C-rule LW, using the declaration f(y*) € 
8, to obtain the unitary substitution o = [f(y*)/z*]. However, any sequence ex- 
tending o will not be well-sorted w.r.t. T (the test will fail, but only once the 
C-unifier has been totally built!) and so the C-derivation subtree following this 
step is useless. In this sense the calculus D is more efficient because it prevents 
the extension of wrong sequences that are not going to become well-sorted w.r.t. 
the whole tableau. 
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7 Conclusions and Related Work 


We have presented the logic with term declarations LTD. This is an order-sorted 
logic which extends the classical first-order logic by introducing a new formula 
constructor ¢ € s, allowing the dynamic declaration of the term t as an element 
of sort s. Logics with terms declarations already appeared in [5,15,16]. There 
variables can be restricted to non unitary sorts; for example, a>’ denotes an 
individual of the intersection sort ss’. In LTD, this sorted variable can be 
expressed including the term declaration x* € s’ where needed. 

Apart from our previous papers, tableau methods only concern [16]. [5] and 
[15] consider resolution based methods, the former in a more general frame- 
work. In these two papers, sorted variables behave as universal in the involved 
unification processes, in contrast to the rigid approach used in tableaux. 

When dealing with free-variable tableau versions for LTD, the first question 
to be solved is how to define sound substitutions of variables in tableaux. This 
concept is the key to perform a proper integration of any sorted unification 
calculus into a tableau system. In [10] we proved that some possible attempts 
to define a substitutivity rule (cfr. [16]) fall into error. In this sense, the (de- 
cidability) results about rigid sorted unification presented in [16] seem to be 
useless for tableaux because its calculus is sound and complete w.r.t. an unsafe 
well-sortedness definition; that is, the application of its involved unifiers in its 
calculus produces unsound tableau systems. For this reason, decidability results 
for a sorted unification method useful for tableaux remained open till now. 

Regarding our previous paper [10], there are two main differences. First, [10] 
presented a local unification calculus that required an extra test to check well- 
sortedness w.r.t. the whole tableau; second such calculus was not terminating. 
Now we have defined the simultaneous unification calculus D which implicitly 
incorporates the extra test every time a sequence is extended. In this sense, we 
have also shown that the calculus D prunes more efficiently the search space. 
Moreover D is terminating, so it can be successfully integrated in a tableau 
system unlike the calculus presented in [10]. Observe that non-terminating uni- 
fication calculi are useless within a tableau system because they can never end 
when trying a non-unifiable problem. 

The calculus D also improves [10] in other minor points. It has less rules 
with simpler applicability conditions. Due to termination, the technique used 
for proving the completeness of D is different and it strongly simplifies the te- 
dious proof for the calculus presented in [10]. Now we easily state completeness 
proving that the existence of hyperwell-sorted solutions can be preserved in the 
D-unification process. 

At present, we are working on a prototype of the tableau system S2. As in 
this paper, we proceed by steps: first implementing the previous sorted calculus 
C, then the calculus D, and finally, incorporating D to free variable tableaux. 
As future work, it would be useful to design efficient strategies to transform the 
non-deterministic calculus D into a real decision procedure. 


208 Pedro J. Martin and Antonio Gavilanes 
References 
1. A. G. Cohn. A more expressive formulation of many sorted logic. Journal of 


25 


Automated Reasoning 3, 113-200, 1987. 

A. G. Cohn. A many sorted logic with possibly empty sorts. CADE’11. LNCS 607, 
633-647, 1992. 

A. Degtyarev, A. Voronkov. What you always wanted to know about rigid E- 
unification. Journal of Automated Reasoning 20(1), 47-80, 1998. 

M. Fitting. First-Order Logic and Automated Theorem Proving (2 edition). 
Springer, 1996. 

A. M. Frisch. The substitutional framework for sorted deduction: fundamental 
results on hybrid reasoning. Artificial Intelligence 49, 161-198, 1991. 

A. Gavilanes, J. Leach, P. J. Martin, S. Nieva. Reasoning with preorders and 
dynamic sorts using free variable tableaux. AISMC-3. LNCS 1138, 365-379, 1996. 
A. Gavilanes, J. Leach, P. J. Martin, S. Nieva. Semantic tableaux for a logic 
with preorders and dynamic declarations. TABLEAUX’97 (Position paper), CRIN 
97-R-030, 7-12, 1997. 

O. Herzog et al. LILOG-Linguistic and logic methods for the computational 
understanding of german. LILOG-Report 1b, IBM Germany, 1986. 

P. J. Martin, A. Gavilanes. Simultaneous sorted unification for free variable 
tableaux: an elegant calculus. TR-SIP 86/98. 1998. 


. P. J. Martin, A. Gavilanes, J. Leach. Free variable tableaux for a logic with term 


declarations. TABLEAUX’98. LNAI 1397, 202-216. 1998. 


. P. J. Martin, A. Gavilanes, J. Leach. Tableau methods for a logic with term 


declarations. Journal of Symbolic Computation 29, 343-372, 2000. 


. R. Nieuwenhuis, A. Rubio. Theorem proving with ordering and equality constrained 


clauses. Journal of Symbolic Computation 19, 321-351, 1995. 


. M. Schmidt-Schauss. Computational Aspects of an Order Sorted Logic with Term 


Declarations. LNAI 395, Springer, 1989. 


. C. Walther. A Many-sorted Calculus based on Resolution and Paramodulation. 


Research Notes in Artificial Intelligence. Pitman, 1987. 


5. C. Weidenbach. A sorted logic using dynamic sorts. MPI-I-91-218, 1991. 
. C. Weidenbach. First-order tableaux with sorts. Journal of the Interest Group in 


Pure and Applied Logics 3(6), 887-907, 1995. 


Partially Adaptive Code Trees 


Alexandre Riazanov and Andrei Voronkov 


University of Manchester 
{riazanov, voronkov}@cs.man.ac.uk 


Abstract. Code trees [8] is an indexing technique used for implementing 
several indexed operations on terms in the theorem prover Vampire [5]. 
Code trees offer greater flexibility than discrimination trees. In this paper 
we review a new, considerably faster, version of code trees based on a 
different representation of the query term. We also introduce a partially 
adaptive version of code trees. 

Keywords: automated theorem proving, subsumption, matching, term 
indexing, code trees 


1 Introduction 


In [8] code trees, a new indexing technique for forward subsumption, was pre- 
sented. In order to implement efficiently forward subsumption on a large set 
of clauses a general subsumption algorithm is specialised at run time for each 
particular clause in the set. The specialised version of the algorithm is repre- 
sented as a sequence of instructions of some abstract machine. Such codes are 
integrated into an indexing structure — a code tree, which allows one to per- 
form subsumption check by the whole set of clauses at once. Although code 
trees can be considered as a differently presented version of discrimination trees, 
the compilation-based approach gives some serious advantages. Code sequences 
for indexed terms are rather flexible objects as they allow various equivalence- 
preserving transformations to be performed on the index. This flexibility enables 
invention and formulation of new optimisations. Exploiting the notion of abstract 
machine makes description of the indexing technique more machine-oriented and 
its efficient implementation feasible. 

Although experiments with the original version of code trees have shown high 
effectiveness of the compilation-based approach, a case study revealed that the 
original formulation of this technique leaves space for significant improvements. 
In this paper we discuss several improvements implemented in version 0.0 of 
Vampire [5] that has won CASC-16 [7] in the MIX division and CASC-17 in the 
FOF division. 

The main improvement was achieved by changing the representation of query 
clauses. The original version [8] deals with query terms represented as tree-like 
structures. It has been discovered that the flatterm [1] representation of query 
clauses eliminates the need for some operations in code trees and also makes the 
expensive operation of term comparison faster. We will describe the new version 
of code trees in Section 3. 
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Apart from the representation of queries, another shortcoming in the origi- 
nal version of code trees is worth special attention. There are two factors that 
can increase the efficiency of indexing techniques: early detection of failure and 
better sharing of structure (or in our case sharing of code). In the case of code 
trees early detection of failure can be achieved by applying term comparison 
instructions as early as possible. At the same time this can deteriorate sharing 
to a very high extent, so that the size of a code tree grows as much as 10 times 
on some benchmarks. In Section 4 we describe a partially adaptive version of 
code trees in which both early detection of failure and better code sharing is 
achieved by moving term comparison instructions up and down the tree during 
the compilation of indexed terms. Moreover, we can change the comparison in- 
structions to achive better sharing. We call the resulting version of code trees 
partially adaptive because the tree can adapt to insertion of new instructions 
by changing itself. The ability to partially adapt code trees with small overhead 
shows their advantage over the more standard data structures used for forward 
subsumption and similar clause retrieval operations, for example discrimination 
trees [3]. Finally, in Section 5 we describe experiments with partially adaptive 
code trees. 


2 Preliminaries 


We assume acquaintance with the basic notions of terms, substitutions and 
clauses. A clause C; subsumes a clause C2 if there exists a substitution 0 such 
that C)@ is a subset of C2. In [8] indexing for multiliteral clauses was done by 
composition of indexes for their literals. Since our current approach to dealing 
with multiliteral clauses does not differ from the one of [8], it is sufficient to 
consider only the unit clause case in order to illustrate our main optimizations. 
In the case of unit clauses, subsumption can be reformulated as the matching 
problem on terms. We say that a term tz matches a term ft, if there exists a 
substitution 6 such that t1@ = to. In this case we will also say that t, subsumes 
tg. 

We will follow the general framework of term indexing presented in [4]. In 
general, the term indexing problem can be formulated as follows. Given a set 
of terms I, called the set of indexed terms and a single term t, called the query 
term, we have to retrieve quickly each term s € J such that a retrieval condition 
R holds between s and t, i.e. we have R(s,t). For the purpose of this paper 
the retrieval condition R is forward subsumption: R(s,t) holds if s subsumes t. 
The term indexing problem consists of finding a datastructure, called the index 
which allows one to perform efficiently the following operations: term retrieval, 
ie. finding all (or some) s € J that are in relation R with the query term t, and 
index maintenance: changing the index when terms are inserted into or deleted 
from, the set of indexed term. 

A code tree is a datastructure for term indexing. The main idea of code 
trees is as follows. Let F' be a procedure for performing forward subsumption, so 
F(s,t) returns true is s subsumes t. For each indexed term s € I we specialize 
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F by fixing its first argument to s. This specialized procedure is denoted by F’, 
thus we have F(t) = F(s,t) for all terms s and ¢. The procedure F, for each 
indexed term s € I is represented as a sequence of instructions of an abstract 
subsumption machine. There is a small number of instructions, some of them 
have parameters. Then the procedures {F | s € I} are combined into a larger 
set of instructions F7, called the code tree for I. The set of instructions Fy is 
better viewed as a tree rather than a sequence, hence the name code tree. The 
set of instructions Fy; is a procedure that can be executed on any query term t 
such that F7(t) @ (ds € I)F;(t). 


3 Code Trees for the Flatterm-Based Representation of 
Query Terms 


In this section we describe a version of code trees obtained by adapting the 
original one of [8] to the new representation of queries. Following [8], we start 
from considering compilation of terms for the case of forward subsumption by one 
clause. To represent our algorithms formally, we will need quite a few definitions. 


3.1 Positions in Term 


If t is a term, top(t) denotes the top symbol of t defined as follows: 


iop(t) = t, if t is a variable or constant; 
eras We es dT ee 2 


We call a position any finite sequences of natural numbers, including the empty 
sequence, denoted by A. The notion of position in a term t and the subterm of 
t at a position p, denoted t/p, are given by the following definition. 


1. the empty position \ is a position in t and t/A = t. 
2. ift/p= f(ti,...,tn),n > 0, then p.1,...,p.n are positions in ¢ and t/(p.i) = 
t; for alli € {1,...,n}. 


Pos(t) will denote the set of all positions in t. For technical purposes we we 
extend Pos(t) by a special object € called the end position in t. The set Pos(t)U 
{e} will be denoted by Pos*(t). When it is necessary to tell the end position 
from other positions, we call the positions from Pos(t) proper positions. Size 
of a term t, denoted |¢|, is defined as the number of proper positions in t. We 
denote by < the lexicografic ordering on positions extended in the following 
way: p < € for any proper position p. To perform traversal of a term t we will 
need two operations on proper term positions: next; and after,, which can be 
informally explained as follows. Represent the term t as a tree and imagine a 
term traversal in the left-to-right, depth-first direction. Suppose t/p = s. Then 
t/next,(p) is the subterm of t visited immediately after s, and t/after,(p) is the 
subterm visited immediately after traversal of all subterms of s. Formally, let 
N= pi <... < Pn < Pnti = € be all positions in t. Then nezt,(p;) = pi4i for 
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all i <n. The definition of after, is as follows: after,(A) = ¢ and forl <i<n 
after ,(pi) = p;, and j is the smallest number such that j > i and for alli << k < j 
the position p; is a prefix of pp. 


As it was mentioned, our new code trees are interpreted on queries repre- 
sented as flatterms. In Vampire we use an array-based version of flatterms. A 
term t is represented by an array of the size |t|. Let pj < ... < py be all positions 
in t. Then the i-th element of the array is a pair (s, 7), where s = top(t/p;) and 
py = after, (pi). 

In can be seen that computation of our major operations on positions, next, 
and after,, can be done very efficiently on such a representation. neat, is com- 
puted by a simple incrementation of the corresponding subscript, so neazt,(p;) = 
pi+i, and the subscript of after,(p;) is given in the ith element explicitly. An- 
other serious advantage of this representation in comparison with tree-like terms 
is that equality of two subterms q/p; and q/p; can be checked efficiently, without 
using stack operations. 


For technical purposes we introduce a new set of variables *1,*2,..., called 
the technical variables. A term containing no technical variables will be called 
an ordinary term. Let AX = po < pi <.... < pn be all proper positions in t. Then 
for i € {0,...,n}, pos,(t) will denote p;. 


Let pr, < .-. < pk,, be all such proper positions in t that top(t/p z,) is a 
variable. The i-th variable position in t, denoted by vup,(t), is defined as vp, (t) = 
Pr, For i > m vup,(t) is undefined. The technical skeleton of a term t, denoted 
by tsk(t), is the term obtained from t be replacing the subterm of ¢ at the ith 
variable position by the technical variable «;, for all 7. For example, the technical 
skeleton of f (a1, a, 9(%1, %2)) is f(*1, a, g(*2, *3))- 


The variable equivalence relation for a term t, denoted &, is the equiva- 
lence relation on {1,...,m} such that: (i,7) © & if and only if top(t/up;(t)) = 
top(t/up,(t)). For example, the variable equivalence relation for f(a1, a, 9(71, 2)) 
consists of two equivalence classes: {1,2} and {3}. The pair (tsk(t),€,) will be 
called the technical abstraction of t. Note the two terms have the same tech- 
nical abstraction if and only if they are variants of each other. If B is a bi- 
nary relation, B~ denotes the transitive, reflexive and symmetric closure of 
B. If € is an equivalence relation and 6 is such a binary relation that BY = 
€, then BG is called a frame of €. A frame is called minimal if no proper 
subset of it is a frame. Throughout the rest of the paper we consider only 
equivalence relations over finite sets of the form {1,...,m}. A finite sequence 
(ui, U1),---, (Uk, Uk) Of pairs of integers is called a computation sequence for € if 
the relation {(u1,v1),..., (ux, Vp)} is a minimal frame of € and u; < v; for all 
i€ {1,...,k}. Such a computation sequence is called canonical if each u; is the 
minimal element of its equivalence class in € and for i < j vj < v;. Note that 
the canonical computation sequence is uniquely defined. 
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3.2. Compilation for Forward Subsumption by One Clause 


We are going to solve the following problem: given a term ¢ and a query term q 
we have to check if t subsumes gq. Figure 1 shows a deterministic algorithm that 
does the job. 


procedure Subsume(t, q) 
begin 
/* First phase: term traversal */ 
let subst be an array for storing positions in q; 
pos, := 2; 
pos, =; 
while pos, #¢ 
if tsk(t)/pos, = *; 
then 
subst|i] := pos,; 
pos, := after ,(pos,); 
pos, = after, (pos,); 
else /* t/pos, is not a variable */ 
if top(t/pos,) = top(q/pos,) 
then 
pos, = nextg( pos ,); 
pos, := nexts(pos,); 
else return failure; 


end while; 
/* Second phase: comparison of terms */ 
let (ui,v1),..., (Un, Un) be the canonical computation sequence for €¢. 
t:=1; 
while i <n 
if q/subst|ui] 4 q/subst|vi] 
then return failure; 
else i:=i+1; 
end while 
return success; 
end 


Fig. 1. A one-to-one subsumption algorithm 


Following [8] we specialise this general subsumption algorithm Subsume for 
each indexed term t, obtaining its specialized version Subsume;. The specialized 
version has the property Subsume;(q) = Subsume(t,q), for each query term 
q. The specialized algorithm is represented as a sequence of instructions of an 
abstract machine. In other words, we compile the term into code of the abstract 
machine. Then this code is submitted, together with the query term q, to the 
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procedure Subsume:(q) 


begin 
pi=>; initl : Initialize(l,) 
if top(q/p) # f return failure; li: Check(f,h, faill) 
p := nexta(p); 
if top(q/p) # g return failure; lo: Check(g, ls, faill) 
p= nert,(p); 
subst [1] := p; Ig: Put(1, la, faill) 
p= after, (p); 
subst [2] := p; la:  Put(2,ls, fail) 
p := after, (p); 
if top(q/p) # h return failure; Is: Check(h, le, fail) 
p := nexta(p); 
subst [3] := p; le:  Put(3,l7, fail) 
p := after, (p); 
subst [4] := p; l7:  Put(4, ls, fail) 


p := after, (p); 
if q/subst[1] 4 q/subst[3] return failure; /s: | Compare(1,3, lo, faill) 
if q/subst(1] 4 q/subst[4] return failure; 19: © Compare(1, 4, lio, faill) 


return success; lio: Success 
end faill : Failure 
Fig.2. The algorithm Subsume Fig. 3. The corresponding sequence 
specialized for the term t = of instructions 


f(g(@1, £2), h(v1, £1)) 


interpreting procedure. Before presenting technical details let us consider one 
simple example. 


Example 1. Let t = f(g(a1, 22), h(a1,21)) be the compiled term. The specialised 
version of the matching algorithm for this term is shown in Figure 2. 

This specialized version can be rewritten in a more formal way using special 
instructions Initialize, Check, Put, Compare, Success and Failure as shown in 
Figure 3. The semantics of these instructions should be clear from the example, 
but will also be formally explained later. 


3.3. Abstract Subsumption Machine 


Now we are ready to describe the abstract machine, its instructions, compilation 
process, and interpretation formally. Memory of the abstract machine is divided 
into the following “registers”: 


1. substitution register subst which is an array of positions in the query term; 
2. register p for storing the current position in the query term; 
3. a register instr for storing the label of the current instruction. 
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To identify instructions in code we will use special objects — labels. We dis- 
tinguish two special labels: initl, and faill. A labeled instruction will be written 
as a pair of the form | : J, where / is a label and J is the instruction itself. 
The instruction set of our abstract machine consists of Initialize, Check, Put, 
Compare, Success and Failure. Success and Failure have no arguments. Other 
instruction have the following form: 


Initialize (l,), where 1, is a label, 

— Check(f,l1,l2), where f is a function symbol and 11, /2 are labels; 

— Put(n,l,,l2), where n is a positive integer and J,, lz are labels; 
Compare(m,n,l,l2), where m,n are positive integers and 11, lz are labels. 


For convenience, we define two functions on instructions, cont and back. On all 
the above instructions cont returns J; and back returns lz. Intuitively, cont is the 
label of the instructions that should be executed after the current instruction 
(if this instruction succeeds), and back is the label of the instruction that is 
executed if the current instruction fails. 

The semantics of the instructions is shown in Figure 4. At the moment the 
last argument of Put is dummy. It will be used when we discuss the case of many 
indexed terms. 


Initialize(l1) p := A; Check(s, l1, lz) if top(q/p) = s 
goto |; then 
— p:= nexta(p); 
goto |, 


else goto l2 


Put(n,li,l2) subst[n] := p; |Compare(m,n,li,l2) if q/subst{m] = q/subst[n] 


p := after, (p); then goto |,; 
goto |; else goto lz 
Success return success | Failure return failure 


Fig. 4. Semantics of instructions in code sequences 


For a given indexed term t, compilation of instructions for Subsume;, results in 
a set of labeled instructions, called the code for t. It consists of two parts: traver- 
sal code and compare code plus three standard instructions: initl : Initialize(1), 
succl : Success and faill : Failure. 

Suppose p, < po <... < Pm are all positions in t. The traversal code for t 
is the set of instructions {l) : ,...,lm: Im}, where l;’s are labels and J;’s are 
defined as follows: 


ks Check(top(t/p;), li41, faill), if t/p; is not a variable 
‘| Put(k, lizs, faill), if tsk(t)/p; = *x 
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Let (ui, V1),.--, (Un; Un) be the canonical computation sequence for €;. Then the 
compare code for t is the set of instructions I+; : Compare (uj, Vi, lm+4i41, faill) 
for2 € {1,...,n}, where ln4n41 = succl. In Figure 3 from example 1 instructions 


1, — lz and lg,lg form the traversal and compare code correspondingly. 

The code for t is executed on the query term according to the semantics 
of instructions shown in Figure 4, beginning with the instruction Initialize. It 
is unlikely that the following statement will surprise anybody: execution of the 
code for t on any query term q terminates and returns success if and only if t 
subsumes qg. Observe that code for ¢ has a linear structure: instructions can be 
executed sequentially. In view of this observation we will call code for ¢ also the 
code sequence for t. 


3.4 Code Trees for Many-to-One Subsumption 


Recall that our main problem is to find if any term ¢ in a large set T of in- 
dexed terms subsumes a given query term q. Using compilation described in 
the previous subsection, one can solve the problem by the execution of code for 
all terms in J. This solution is inapropriate for large sets of terms. However, 
code sequences for terms can still be useful as we can share many instructions 
from code for different terms. We rely on the following observation: in most in- 
stances in automated theorem proving the set T contains many terms having 
similar structure. Code sequences for similar terms often have long coinciding 
prefixes. It is natural to combine the code sequences into one indexing struc- 
ture, where the equal prefixes of code sequences are shared. Due to the tree-like 
form of such structures we call them code trees. Nodes of code trees are instruc- 
tions of the abstract subsumption machine. Linking of different code sequences 
is done by setting appropriate values to the cont and back arguments of the 
instructions. A branch of such tree is a code sequence for some indexed term in- 
terleaved by some instructions of code sequences for other indexed terms. Apart 
from reducing memory consumption, combining code sequences in one index re- 
sults in tremendous improvements in time-efficiency since during a subsumption 
check shared instructions are executed once for several terms in the indexed 
set. To illustrate this idea let us compare the code sequences for the terms 


ti = f(f(v1, 2), f(a1,21)) and te = f(f (71, 22), f (x2, 2). 


initl : Initialize(h) initl : Initialize(l) 

ly: Check(f, lo, faill) ly: Check(f, lz, faill) 

ly : Check(f, ls, fail) ly : Check(f, ls, faill) 

ls : Put(1, la, faill) ls : Put(1, la, faill) 

la: Put(2, ls, faill) la: Put(2, ls, faill) 

ls : Check(f, ls, faill) ls : Check(f, le, faill) 

Ig : Put(3, lr, fail) lg : Put(3,l7, faill) 

ly: Put(4, ls, faill) lr: Put(4, ls, faill) 

lg : Compare(1, 3, lo, faill) lg : Compare (2, 3, lo, faill) 
Ig : Compare(1, 4, lio, faill) lg : Compare(2, 4, lio, faill) 


lig : Success lio : Success 
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Sharing the first eight instructions of this results in the following code: 
C: 
initl : Initialize(h) 
ly: Check(f, le, faill) 
ly : Check(f, ls, faill) 
ls: Put(1, la, fail) 
la: Put(2, ls, fail) 
ls : Check(f, ls, faill) 
lg : Put(3, lr, fail) 
lr: Put(4, ls, faill) 
lg : Compare(1, 3, lo, li1) li: Compare(2, 3, lo, faill) 
Ig : Compare(1,4, lio, faill) = lig : Compare (2, 4, lio, faill) 
lig : Success 


We can execute this code as follows. First, the eight shared instructions are 
executed. If none of them results in failure, we continue by executing instructions 
Ig,lg,li9. If the Success instruction 119 is reached the whole process terminates 
with success. Otherwise, if any of the equality checks lg,l9, failed, we have to 
backtrack and resume the execution from the instruction 111. 

In general, to maintain a code tree for a dynamicaly changing set TJ’, one has 
to implement two operations: integration of new code sequences into the tree, 
when a term is added to T’, and removal of sequences when a term is deleted 
from T. The integration of a code sequence C'S into a code tree C'T’ can be done 
as follows. We move simultaniously along the sequence C'S and a branch of CT 
beginning from the Initialize instructions. If the current instruction [7 in CT 
coincides with the current instruction Ig in C'S up to the label arguments, we 
skip the instructions following labels in their cont arguments. If I differs from 
Is we have to consider two cases: 


1. If back(I7) is not the Failure instruction, in the code tree we move to this 
instruction and continue integration. 

2. If back(Ir) is Failure, we set the back argument of Ir to the label of Ig. Thus, 
the rest of the code sequence C'S together with the passed instructions in 
CT forms a new branch in the tree. 


Removal of obsolete branches is also very simple: we remove from the code all 
unshared instructions corresponding to the removed term and link the remaining 
instructions in appropriate manner. Due to postponing Compare instructions, 
code trees maitained in this manner have an important property: traversal codes 
for any terms having the same technical skeleton are shared completely. 

Code trees are executed nearly the same way as code sequences, but with 
one difference due to possible backtrack points. As soon as an instruction with 
a backtrack argument is found, we store its backtrack argument and the current 
position in the query term in special stacks backtrPos and backtrInstr. Semantics 
of instructions in code trees is shown in Figure 5 

It is worth noting that all operations in the semantics of instructions can be 
executed very efficiently on flatterms. 
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Initialize(l) p := A; 
backtrPos := empty stack; 
backtrInstr := empty stack; 
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Check(s,l1,l2) if top(q/p) = s 
then 
push(l2, backtrInst); 


goto |; push(p, backtrPos); 
p:= nettg(p); 
goto |, 


else goto l2 


Put(n,l,l2) push(le, backtrInst); 


push(p, backtrPos); 


Compare 
(m, n, hi, lz) 


if q/subst|m] = q/subst[n] 
then 


subst|[n] := p; push(l2, backtrInst); 
p := after, (p); push(p, backtrPos); 
goto 1; goto I, 


else goto l2 


Success return success Failure if backtrPos is empty 
then return failure 
else 

p = pop(backtrPos); 


goto pop(backtrInst) 


Fig. 5. Semantics of instructions in code trees 


To conclude the section we descibe here the differences between this version 
of code trees and that of [8]. These differences make the execution of code trees 
significantly faster: 


1. The original version of code trees contained 6 more instructions: 

(a) The flatterm representation of queries made it possible to get rid of the 
stack instructions Push and Pop heavily used in the original version to 
encode term-traversal related operations. 

Effect of the Right and Down instructions is now part of the semantics 

for Check and Put. This saves space and time: instead of fetching two 

instructions we only need to fetch one (instructions are interpreted, so 
there is an overhead in fetching the next instruction). 

Due to better organization of backtracking, the instructions Fork and 

Restore used for the maintanence of backtracking are not needed any 

more. 

2. The execution of any instruction except Compare requires constant time. The 
most expensive Compare instruction requires comparison of two subterms 
of the query term. Due to the flatterm representation of the query term, 
Compare instructions are now executed more efficiently. 


(b) 


(c) 


4 Partially Adaptive Code Trees 


From the discussion in the previous section the reader could get a feeling that 
code trees are slightly optimized discrimination trees. In this section we discuss 
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an optimization which is essentially impossible on discrimination trees. This 
optimization, partially adaptive code trees, shows greater flexibility of code trees 
as compared to discrimination trees or substitution trees [2,6]. 


It is believed that a greater amount of sharing, and hence efficiency, can 
be gained by using adaptive indexing structures (see [4]). An example of such 
structure is substitution trees [2] or adaptive automata (see [4]). The idea of 
adaptive structures is that the order of the query term traversal is not fixed in 
advance, so indexing structures can adapt themselves to new orders of traversal 
when indexed terms are added or deleted. The price paid for adaptiveness is 
quite high, so it is not clear that adaptive structures can be more efficient than 
the standard ones. The index maintainance becomes more complex, choosing 
a wrong order can actually slow down execution, and it is difficult to ensure 
that the order is good: usually, the problem of optimality of a given structure is 
coNP-complete (see [4]). In the case of code trees for forward subsumption, the 
use of adaptive structures requires tree-like representation of query terms and, 
consequently, a larger set of instructions. 


However, the flexibility of code trees allows one to make them partially adap- 
tive, without changing the order of traversal of query terms. The main idea 
is to use the fact that Compare instructions commute with many other in- 
structions, and thus can be moved up and down the tree (with essentially no 
overhead in the index maintainence). To illustrate this idea, consider the term 
ty = f(@1, 21, 22,22) and the following code sequences C}, C}: 


Ci: Cis 
initl : Initialize(h) initl : Initialize(l) 
ly : Check(f, le, faill) ly : Check(f, lz, faill) 
lo : Put(1, ls, fazll) lo : Put(1, ls, fazll) 
13 : Put(2, la, faill) I3 : Put(2, la, fail) 
la : Put(3, ls, fazll) la : Compare(1, 2, ls, fail) 
Is : Put(4, le, fazll) Is : Put(3, le, fazll) 
lg : Compare (1, 2, lz, faill) Ie : Put(4, lz, fazll) 
lz : Compare (3, 4, ls, faill) lz : Compare (3, 4, ls, fail) 
lg : Success ls : Success 


The code sequence C; is computed by our compilation algorithm. The code 
sequence C4, is obtained from C, by moving the instruction Compare(1,2,...) up 
the sequence. Such a lifting of some Compare instructions serves two purposes. 
The first one is earlier detection of failure. For example, execution of the code 
C, on the query term q = f(a,b,a,a) determines failure after 7 instructions, 
while C; fails after 5 instructions. 


The second purpose of moving instructions up the tree is that it can increase 
sharing of code when new code sequences are integrated into code trees. More- 
over, since Compare are potentially expensive instructions, sharing of them is 
especially desirable. For example, consider the term tg = f(x1,21,a,22) and two 
equivalent code sequences for t2: 


220 Alexandre Riazanov and Andrei Voronkov 


C2: 
initl : Initialize(h) 
ly : Check(f, le, faill) 
lo : Put(1, ls, fazll) 
I3 : Put(2, la, faill) 
la : Check(a, ls, fall) 
Is : Put(3, le, fazll) 
le : Compare (1, 2, lz, faill) 
l7 : Success 


Cy: 
initl : Initialize(l) 
ly : Check(f, le, faill) 
lo : Put(1, ls, fazll) 
I3 : Put(2, la, fail) 
la : Compare(1, 2, ls, fazll) 
Is : Check(a, le, fall) 
Ie : Put(3, lz, fazll) 
l7 : Success 


Combining C; with C2 gives us the following code tree: 


ie 
initl : Initialize(l) 
li: Check(f, lo, faill) 
ly : Put(1, ls, faill) 
ls : Put(2, la, faill) 
la : Put(3, ls, lo) Ig : Check(a, lio, faill) 
ls : Put(4, le, faill) lio : Put(2, ls, faill) 
le : Compare(1, 2,17, faill) li : Compare(1, 2, ls, faill) 
lz : Compare (3, 4, ls, faill) 
lg : Success 
Combining C, with C} gives us a code tree with less instructions: 
Tes 
initl : Initialize(l) 
li: Check(f, lo, faill) 
ly : Put(1, ls, faill) 
ls : Put(2, la, faill) 
la : Compare(1, 2, ls, faill) 
Is: Put(3, le, Ig) 
lg : Put(4, l7, faill) 
lz : Compare (3, 4, ls, faill) 
lg : Success 


Ig : Check(a, lio, faill) 
lio : Put(2, ls, faill) 


Execution of the code tree T on the query term f(a,b,a,a) fails after 10 
instructions, while execution of T’ fails only after 5. 


Under some circumstances, Compare instructions can also be moved down 
the tree, for the same purpose of increasing sharing. We will illustrate this later, 
when we discuss the algorithm of insertion into code trees. Thus, the new code 
trees can adapt themselves to the insertion of new code sequences by moving 
some instructions up and down the tree (but without changing the order of 
traversal of the query term). This is why we call them partially adaptive. 


Apart from moving Compare instructions, other equivalence-preserving trans- 
formations of code sequences can be used to improve sharing. This optimization 
is based on the observation that different computation sequences can be used 
for computing an equivalence relation. When encoding the technical equivalence 
E, by a sequence of Compare instructions we can use any computation sequence 
for €; instead of the canonical one. 
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Example 2. Let us illustrate this idea by an example. Consider the terms t; = 
f(@1, 22, @2, £2) and tg = f (a1, 21,21, £2) . The canonical computation sequences 
for €,, and €, are (2,3), (2,4) and (1,2), (1,3). The correponding Compare in- 
structions in the code sequences for tj and tg cannot be shared. However, the 
equivalence relation €;, can be computed by the sequence (2,3), (1,3), so that 
the instructions Compare(2,3,...) can be shared resulting in the following code 
tree for {t,t}: 


initl : Initialize(l) 

ly : Check(f, le, faill) 

lo : Put(1, ls, fazll) 

I3 : Put(2, la, faill) 

la : Put(3, ls, fazll) 

Is : Compare (2, 3, le, faill) 

le: Put(4, lz, Ig) 

lz : Compare(3, 4, ls, faill) 9 : Compare(1, 3, ls, faill) 
lg : Success 


Note that the semantics of instructions in partially adaptive code trees is the 
same as in the standard code trees. The only difference between the two versions 
of code trees is in their maintenance: the compilation of code sequences and their 
insertion into a code tree. 


Now specialising the algorithm on a given term may produce several differ- 
ent codes. We have to fix a strategy of chosing an appropriate code sequence 
for a given term in presence of a code tree. The choice of the strategy must 
reflect our two main goals: better degree of sharing and earlier detection of fail- 
ure. Moreover, we often have to modify the tree itself significantly since some 
code sequences in the tree are to be adapted to the new code sequences being 
integrated. Thus, the situation is more complex than with the basic version, 
compilation should be done simulataneously with modifying the tree. Our third 
goal is efficiency of maintainence: the insertion into and deletion from code trees 
should be fast. 


In view of the third goal, the deletion algorithm we use in Vampire is very 
simple. After having deleted a code sequence from a tree we do not try to modify 
the trees by shifting Compare instructions. This means that the code tree for a 
set of indexed terms T can change when we insert a code sequence for a new 
indexed term t, and then immediately delete this code sequence. 


We will now focus on the algorithm for insertion into code trees. We do not 
define the algorithm here, but only describe it informally and give an illustrating 
example. The algorithm is similar to the standard insertion algorithm into code 
trees (or discrimination trees), but with the following difference. First, we make 
insertion by ignoring Compare instructions at all. Second, we shift some Compare 
instructions down the tree. Third, we insert remaining Compare instructions 
from the new code. 
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Example 3. Consider a code tree for the set {f (21,21, 22, £2), f(@1, 71, a, b)}: 

initl : Initialize(l) 

ly: Check/( f, la, faill) 

ly : Put(1, ls, fail) 

ls : Put(2, la, fail) 

la : Compare(1, 2, ls, faill) 

Is : Put(3, le, lo) Ig : Check(a, lio, faill) 

lg : Put(4, lr, fail) lio : Check (b, ls, faill) 

lz : Compare (3, 4, ls, faill) 

lg : Success 
Suppose that we insert into the set the new term t = f(x1, 22,21, 21). The code 
sequence for this term consists of the traversal code 

initl : Initialize(m1) 

m1: Check(f, lz, faill) 

m2: Put(1, ls, fail) 

m3: Put(2, la, fail) 

ma: Put(3, ls, faill) 

ms : Put(4, le, fail) 
followed by a sequence of Compare corresponding to a computation sequence for 
the equivalence relation €; consising of two classes {1,3,4} and {2}. 

If we ignore the Compare instructions in the code tree, then the nodes 
mM 1,™M2,™m3,™M4,mM5 would be merged into the nodes 11, lo, 13, 15,16, respectively. 
But between l/s and l, the tree contains the instruction l4 : Compare(1, 2, Is, faill), 
and (1,2) does not belong to €;. So, we have to move Compare(1, 2, ls, faill) down 
the tree. The instruction l7 : Compare(3, 4, ls, faill) can be shared, since (3, 4) 
belongs to €;. To compute the equivalence relation €;, we should add either 
(1,3) or (1,4) to the computation sequence (3,4). So, we obtain the following 
code tree: 

initl : Initialize(l,) 

li, : Check(f, la, faill) 

ly : Put(1, 1s, faill) 

lz : Put(2, Is, faill) 


Is : Put(3, le, li) li : Compare(1, 2, lo, faill) 
Ig : Put (4, l7, faill) Ig : Check(a, lio, faill) 
lz : Compare (3, 4, la, faill) lio : Check(b, ls, faill) 


la: Compare(1,2,ls,li2) lia : Compare(1, 3, ls, faill) 
lg : Success 


5 Experiments 


Our experiments have shown that in many cases making code trees partially 
adaptive gives significant reduction of the total number of executed instructions, 
though it may give an increase in the number of executed expensive Compare 
instructions. We compared overall performance of the system with the partialy 
adaptive version of code trees and the basic version on 75 problems from the 
MIX division of CASC-16 [7]. Note that both compared versions are based on 
the flatterms, the old version dealing with tree-like queries is unfortunately not 
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available for comparison. The problems were run with the time limit of 10 min- 
utes on a PC with a Pentium III 500MHz processor. We restricted memory usage 
by 300Mb and the number of kept clauses by 100000. In the table below we give 
times consumed by the optimised version and the basic one (time, and times cor- 
respondingly). To make comparison, we calculate percentage of difference (diff ) 
between times consumed by the versions w.r.t. the best time. Negative value of 
diff indicates cases when the optimised version showed worse results. From the 
whole benchmark suit 34 problems were selected by the following criteria: (1) 
one of the versions works at least 30 seconds on the selected problems with the 
given limits, (2) absolute value of diff must exceed 1% 


algo03-1 : ; : 
alg004-1 9.86% | 37.9 41.64 |JIclO15-1 -1.26% | 72.09 | 71.19 
boo020-1 | -3.05% | 42.2 40.95 |JIcl016-1 -1.27% | 71.27 | 70.37 
cid003-1 9.92% | 35.67 | 39.21 |{lcl017-1 2.47% | 72.05 | 73.83 
cid003-2 6.36% | 46.97 | 49.96 |{lcl020-1 10.74% | 77.41 | 85.73 
civ002-1 | -2.54% | 86.59 | 84.44 |{Ilcl021-1 5.28% | 76.89 | 80.95 
col077-1 | -1.38% | 30.79 | 30.37 |{lcl099-1 4.62% | 42.81 | 44.79 
grp054-1 | 1.48% | 51.24 52 Icl105-1 4.31% | 39.15 | 40.85 
grp073-1 | -1.39% | 34.22 | 33.75. ||Icl122-1 1.14% | 80.34 | 81.26 
grpl06-1 | -1.19% | 47.61 | 47.05. ||Icl125-1 -1.01% 36 35.64 
grpl07-1 | -1.11% | 70.55 | 69.77 |{lcl127-1 3.99% | 57.02 59.3 

grpl08-1 | -1.15% | 56.93 | 56.28 |{lcl129-1 3.7% | 32.42 | 33.61 
grp110-1 | -1.54% | 40.2 39.59 ||Icl166-1 5.54% | 77.36 | 81.65 
grpll1-1 | -1.1% | 53.86 | 53.27 |{Icl167-1 10.48% | 77.26 | 85.36 
lat002-1 -2.53% 61.13 59.62 prv008-1 9.65% 166.47 182.55 
lat005-3 -1.75% | 61.31 | 60.25 |/rng025-1 | 49.18% | 31.98 | 47.71 
lat005-4 | -4.15% | 60.43 | 58.02 ||rng034-1__| 11.46% | 50.69 56.5, 


Icl005-1 AN : 91.17 
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Abstract. This paper proposes a formal framework for argumentative 
dialogue systems with the possibility of counterargument. The framework 
allows for claiming, challenging, retracting and conceding propositions. 
It also allows for exchanging arguments and counterarguments for propo- 
sitions, by incorporating argument games for nonmonotonic logics. A key 
element of the framework is a precise definition of the notion of relevance 
of a move, which enables flexible yet well-behaved protocols. 


1 Introduction 


In recent years, dialogue systems for argumentation have received interest in 
several fields of artificial intelligence, such as explanation [2], AI and law (4, 6], 
discourse generation [5], multi-agent systems [10, 1], and intelligent tutoring [9]. 
These developments justify a formal study of such dialogue systems; this paper 
contributes to this study by an attempt to integrate two relevant developments 
in the fields of argumentation theory and artificial intelligence. 

In argumentation theory, formal dialogue systems have been developed for 
so-called ‘persuasion’ or ‘critical discussion’; see e.g. [8, 14]. In persuasion, the 
initial situation is a conflict of opinion, and the goal is to resolve this conflict 
by verbal means. The dialogue systems regulate the use of speech acts for such 
things as making, challenging, accepting, withdrawing, and arguing for a claim. 
The proponent of a claim aims at making the opponent concede his claim; the op- 
ponent instead aims at making the proponent withdraw his claim. A persuasion 
dialogue ends when one of the players has fullfilled their aim. Logic governs the 
dialogue in various ways. For instance, if a participant is asked to give grounds 
for a claim, these grounds have to logically imply the claim. Or if a proponent’s 
claim is logically implied by the opponent’s concessions, the opponent is forced 
to accept the claim, or else withdraw some of her concessions. 

Although such dialogue systems make an interesting link between the (static) 
logical and (dynamic) dialogical aspects of argumentation, they have one impor- 
tant limitation. The underlying logic is deductive, so that players cannot reply to 
an argument with a counterargument, since such a move presupposes a nonmono- 
tonic, or defeasible logic. Yet in actual debates it is very common to attack one’s 
opponent’s arguments with a counterargument. This is where a recent develop- 
ment in AI becomes relevant, viz. the modelling of nonmonotonic, or defeasible 
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reasoning in the form of dialectical argument games; e.g. [7, 13, 11]. Such games 
model defeasible reasoning as a dispute between a proponent and opponent of 
a proposition. The proponent starts with an argument for it, after which each 
player must attack the other player’s previous argument with a counterargument 
of sufficient strength. The initial proposition is provable if the proponent has a 
winning strategy, i.e., if he can make the opponent run out of moves in whatever 
way she attacks. Clearly, this dialectical setup fits well with the above-mentioned 
dialogue system applications. The main aim of this paper is to incorporate these 
argument games in protocols for persuasion dialogue. This results in a subtype 
of persuasion dialogues that in [11] were called ‘disputes’. 
The following example illustrates these observations. 


Paul: My car is safer than your car. (persuasion: making a claim) 

Olga: Why is your car safer? (persuasion: asking grounds for a claim) 

Paul: Since it has an airbag. (persuasion: offering grounds for a claim; dispute: 
stating an initial argument) 

Olga: That is true, (persuasion: conceding a claim) but I disagree that this 
makes your car safe: the newspapers recently reported on airbags expanding 
without cause. (dispute: stating a counterargument) 

Paul: I also read that report (persuasion: conceding a claim) but a recent scien- 
tific study showed that cars with airbags are safer than cars without airbags, and 
scientific studies are more reliable than sporadic newspaper reports. (dispute: re- 
butting a counterargument, and arguing about strength of conflicting arguments) 
Olga: OK, I admit that your argument is stronger than mine. (persuasion: con- 
ceding a claim) However, your car is still not safer, since its maximum speed is 
much higher. (dispute: alternative counterargument) 


A second aim of this paper is to study the design of argumentative dialogue 
systems. Although most current systems are carefully designed, their underlying 
principles are often hard to see. Therefore, I shall in Section 2 propose a general 
framework for disputational protocols, based on intuitive principles. In Section 3 
I shall instantiate it with a particular protocol (illustrated in Section 4), after 
which I conclude with a discusison in Section 5. 


2 A Framework for Disputational Protocols 


2.1 Elements and Variations 


In the present framework, the initial situation of a persuasion dialogue is a con- 
flict of opinion between two rational agents about whether a certain claim is 
tenable, possibly on the basis of shared background knowledge. The goal of a 
persuasion dialogue is to resolve this conflict by rational verbal means. The dia- 
logue systems should be designed such that they are likely to promote this goal. 
Differences between the various protocols might be caused by different opinions 
on how this goal can be promoted, but also by, for example, different contexts 
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in which dialogues take place (e.g. legal, educational, or scientific dispute), or by 
limitations of such resources as time or reasoning capacity. 

The present framework fixes the set of participants; two players are assumed, 
a proponent and an opponent of an initial claim. According to [14], dialogue 
systems regulate four aspects of dialogues: 


— Locution rules (what moves are possible) 

— Structural rules (when moves are legal) 

— Commitment rules (The effects of moves on the players’ commitments); 
— Termination rules (when dialogues terminates and with what outcome). 


For present purposes a fifth element must be distinguished, viz. the underlying 
logic for defeasible argumentation. On all five points the framework must allow 
for variations. In particular, the framework should leave room for: 


— allowing one or allowing several moves per turn (wnique-move vs. multi-move 
protocols); 
— different choices on whether players can move alternatives to their earlier 
moves (unique-response vs. multi-response protocols); 
— different underlying argument games (but all for justification); 
— various sets of speech acts (but always including claims and arguments); 
— different rules for legality of dialogue moves. In particular, 
e different views on inconsistent commitments 
e automatic vs forced commitment to implied commitments 
— different rules for the effects of moves on the commitments of the players; 
— different termination and winning criteria. 


On the other hand, some conditions are hardwired in the framework. Most im- 
portantly, every move must somehow have a bearing to the main claim. This is 
realised by two other principles: every move must be a reply to some other move, 
being either an attack or a surrender, and every move should be relevant. 


2.2 The Framework 


The framework defines the notion of a protocol for dispute (PPD). 


Definition 1. [Protocols for persuasion with dispute]. A protocol for persuasion 
with dispute (PPD) consists of the following elements. (L, Players, Acts, Replies, 
Moves, PlayerToMove, Comms, Legal, Disputes, Winner), as defined below. 


I now define and comment on each of the elements of a protocol for dispute. 


— Lis anotion of [11], viz. a protocol for disputes based on a logic for defeasible 
argumentation. wff(L) is the set of all well-formed formulas of L’s language 
and Args(L) the set of all its well-formed arguments. For any set T C wff (L), 
Args,(T) © Args(L) are all L-arguments constructible on the basis of the 
input information T. Below, L will often be left implicit. 
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Logics for defeasible argumentation (cf. [12]) formalise nonmonotonic reasoning 
as the construction and comparison of possibly conflicting arguments. They de- 
fine the notions of an argument and of conflict between arguments, and assume 
or define standards for comparing arguments. The output is a classification of 
arguments as, for instance, ‘justified’, ‘defensible’ or ‘overruled’. One way to de- 
fine argumentation logics is, as noted above, in the form of argument games. In 
[11] I showed how these games can be ‘dynamified’ in that the information base 
is not given in advance but constructed during the dispute. For present purposes 
this is very important, since in persuasion dialogues this typically happens. 
The format of both arguments games and protocols for dispute is very similar 
to that of PPD’s. The main elements missing are the set Act and the functions 
Replies and Comms, since these formalisms have no room for speech acts. 


— Players = {P,O}. Player = O iff Player = P, and P iff Player = O. 

— Acts is the set of speech acts. {claim ~, argue(®, so ~)} C Acts (here, 
® C wff (L), yp € wff(L) and (&, so y) € Args(L)). Acts have a performative 
and a content part. Note that each protocol has a claim and an argue act. 

— Replies : Acts —> Pow(Acts) 


is a function that assigns to each act its possible replies. It is defined in terms 
of two other functions of the same type, Attacks and Surrenders. These 
functions jointly satisfy the following conditions. For any A, B € Acts: 

1. B € Replies(A) iff B € Attacks(A) or B € Surrenders(A); 

2. Attacks(A) MN Surrenders(B) = 0; 

3. If B € Surrenders(A), then Replies(B) = 9; 

4. If B € Attacks(A), then Replies(B) 4 0. 


Intuitively, an attacking reply is a challenge to the replied-to act, while a sur- 
rendering reply gives up the possibility of attack. For instance, challenging a 
claim, responding to a challenge with an argument for the claim, and stating a 
counterargument are attacking replies, while retracting a proposition in reply to 
a challenge and conceding a proposition in reply to a claim are surrenders. 


— Moves is the set of all well-formed moves. All moves are initial or replying 
moves. An initial move is of the form M, = (Player, Act), and a replying 
move is of the form M; = (Player, Act, Move) (i > 1). Player(M;) denotes 
the first element of a move M;, Act(M;) its second element and Move(M;) 
its third element. If Move(M;) = M;, we say that M; is a reply to, or replies 
to M;, and that M; is the target of Mj. 

Now the set Moves is recursively defined as the smallest set such that if 
Player € Players, Act € Acts and M; € Moves, then (Player, Act) € 
Moves and (Player, Act, M;) € Moves. 

— PlayerToMove determines the player to move at each stage of a dialogue. Let 

Pow* (Moves) be the set of all finite sequences of subsets of Moves. Then 


PlayerToMove: Pow* (Moves) —> Players 
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such that PlayerToMove(D) = P if D = 0; else 
1. PlayerToMove(D) = P iff the dialogical status of Mj is ‘out’; 
2. PlayerToMove(D) = O iff the dialogical status of M, is ‘in’. 


The PlayerToMove function is completely defined by the framework: proponent 
begins a dispute and then a player keeps moving until s/he has changed the 
‘dialogical status’ of the initial claim (to be defined below) his or her way. This 
function is hardwired in the framework since the Legal function of the framework 
requires moves to be relevant, and a move will (roughly) be defined to be relevant 
iff it can change the dialogical status of the initial move. Clearly, this does not 
leave room for other PlayerToMove functions than the above one. 


— Comms is a function that assigns to each player at each stage of a dialogue 
a set of propositions to which the player is committed at that stage. 


Comms: Pow*(Moves) x Players —> Pow(wff(L)). 
such that Commsg(P) = Commsg(O). 


Note that Commsg(p) can be nonempty (although it must have the same content 
for P and for O). This allows for an initially agreed or assumed basis for dis- 
cussion. Note also that the framework does not require consistency of a player’s 
commitments. This is since some protocols allow inconsistency, after which the 
other player can demand retraction of one of the sources of inconsistency. 


— Legal is a function that for any dialogue specifies the legal moves at that 
point, given the dialogue so far and the players’ commitments. Let C, (p € 
Players) stand for Pow(wff(L)) x p. Then 


Legal: Pow* (Moves) x Cp x Co — Pow(Moves) 


(Below I will usually leave the commitments implicit). 

This function is constrained as follows. For all M € Moves and all D € 

Pow* (Moves), if M; € Legal(D), then: 

. If D=9, then M; is an initial move and Act(M;) is of the form claim(y); 

. Move(M;) € D; 

. Act(M;) is a reply to Act(Move(M;)); 

. If M; and M; (j < i) are both replies to M;, € D and M; € D, then 
Act(Mi+41) # Act(M;); 

5. If Act(M;) is of the form Argue(A) then M;’s counterpart in the L- 

dispute LD; associated with D; is legal in L,; 
6. M; is relevant in D. 


BwWNY re 


Condition 1 says that a dispute always starts with a claim. Condition 2 says 
the obvious thing that a replied-to move must have been moved in the dialogue. 
Condition 3 says that an act can only be moved if it is a reply to the act moved 
in the replied-to move. Condition 4 states the obvious condition that if a player 
backtracks, the new move must be different from the first move. 
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The last two conditions are crucial. Condition 5 incorporates the underlying 
disputational protocol L, by requiring argue moves to conform to the legality 
rules of this protocol. L; is the proof-theoretical ‘subdispute’ of D in which 
the argue move occurs. Note that thus the framework assumes that with each 
sequence of PPD-moves an L[-dispute can be associated. Particular protocols 
must specify the details. 

Finally, Condition 6 every move to be relevant. Relevance, to be defined 
below, is the framework’s key element in allowing maximal freedom (including 
backtracking and postponing replies) while yet ensuring focus of a dispute. 


— Disputes is the set of all sequences M1,...,M,, of moves such that for all 7: 
1. Player(M;) = PlayerToMove(M,,...,Mi-1), 
2. M; € Legal(M,, 4g ,Mj-1). 

— Winner is a function that determines the winner of a dialogue, if any: 


Winner: Disputes —>+ Players 


The winning function is constrained by the following condition. 
e If Winner(D) = p, then PlayerToMove(D) =p and Legal(D) = 0; 


Thus, to win it must hold that the other player has run out of moves. The 
rationale for this is the relevance condition (to be defined next); as long as a 
player can make relevant moves, s/he should not be losing. Note that termination 
is defined implicitly, as the situation where a player-to-move has no legal moves. 

I now turn to relevance. This notion is defined in terms of the dialogical 
status of a move (either ‘in’ or ‘out’), which captures whether its mover has 
been able to ‘defend’ the move against attacks. A move can be in in two ways: 
the other player can have conceded it, or all attacks of the other player have 
been successfully replied to (where success is determined recursively). As for 
conceding a move, the general framework only states two necessary conditions: 


— If a move M is conceded in D, then it has a surrendering reply in D. 
— If M is conceded in D, it is conceded in all continuations of D. 


The reason why these conditions are not sufficient lies in the most natural treat- 
ment of replies to arguing moves. In Section 3 we shall see that an arguing move 
has several elements (premises, conclusion, inference rule), some of which can 
be surrendered but others attacked at the same time. Therefore the notion of 
conceding a move must be fully defined in particular dialogue systems. 


Definition 2. /Dialogical status of moves] A move M of a dialogue D is either 
in or out in D. It isin in D aff 


1. M is conceded in D; or else 
2. all attacking moves in D that reply to it are out in D. 


Now a move is relevant iff any attacking alternative would change the status of 
the initial move of the dialogue. This can be captured as follows. 
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Fig. 1. Dialogical status of moves. 


Definition 3. /Relevance.] A move in a dialogue D is a relevant target iff any 
attacking reply to it changes the dialogical status of D’s initial move. A move is 
relevant in D iff it replies to a relevant target in D. 


Note that a reply to a conceded move is never relevant. 

To illustrate these definitions, consider figure 1. The first dispute tree shows 
the situation after P,. The next tree shows the dialogical status of the moves 
when O has continued with replying to P3: this move does not affect the status 
of P,, so Oy is irrelevant. The final tree shows the situation where O has instead 
replied to Py: then the status of P, has changed, so O4, is relevant. 


3 An Instantiation of the Framework 


To illustrate the general framework, I now instantiate it with a specific protocol. 


The Underlying Disputational Protocol The disputational protocol L is 
that of liberal disputes as defined in [11], instantiated with proof-theoretical 
rules for sceptical argumentation. Liberal disputes allow an argument as long as 
it is relevant. In [11] it is shown that this protocol satisfies certain ‘soundness’ 
and ‘fairness’ properties with respect to the underlying argumentation logic. 
Besides a set Args of constructible arguments, L also assumes a binary re- 
lation of defeat among arguments. An argument strictly defeats another if the 
first defeats the second but not the other way around. Now Dung’s argument 
game says that proponent begins with an argument and then players take turns 
as follows: proponent’s arguments strictly defeat their targets, while opponent’s 
arguments defeat their targets. In addition, proponent is not allowed to repeat 
his moves in one ‘dialogue line’ (a dispute without backtracking moves). The 
precise definition of the notions of an argument, conflict and comparison of ar- 
guments are not essential, and therefore I keep these elements semiformal, using 
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obvious logical symbols in the examples, with both material (D>) and defeasible 
(=) implication. But the protocol assumes that arguments can be represented 
as a premises-conclusion pair ©, so y, where ® C wff(L) are the premises and 
yp € wff (L) is the conclusion of the argument. 


Speech Acts The set of speech acts is defined as follows. 


Acts Attacks Surrenders 

claim why concede 

why p argue ®, soy |retract p 

joncedep 

retract 

argue(®, so vy) why yi (yi € &)|concede vp; (y; € P) 
argue(®’, so y’)|concede(® implies vy) 

concede(® implies :) 


Here &, 0’ C wff (L), v, ¢’ © wff(L), and (9, so ~) and (@, so y’) € Args(L). 

The claim, why, retract and concede y moves are familiar from MacKenzie- 
style dialogue systems. The argue move is present in e.g. [4] and [14]. The conced- 
ing an inference move is adapted from [4]. Its effect is to give up the possibility 
of counterargument. Note that an argument can be replied to by replying to one 
of its premises or to its inference rule, or by a counterargument. 


Commitment Rules The commitment rules are as follows. Let D; = 
M,,...,M; be any sequence of moves, and let Player(M;) = p. 
— If Act(M;) = claim ¢ or concede yp, then Commsp,(p) = Commsp,_,(p) U 
{¢}- 
— If Act(M;) = argue(®, so vy), then Comms p,(p) = Comms p,_,(p)U®U {yp}. 
— If Act(M;) = retract y then Commsp,(p) = Commsp,_,(p)/{¢}.- 
— In all other cases the commitments remain unchanged. 


The effects of claims, concessions and retractions are obvious. As for the ef- 
fects of moving arguments, note that their conclusion is not also added to the 
mover’s commitments. This is since some dialectical proof theories, including 
the present-used one, sometimes allow a player to attack himself. In [14] the 
material implication is also added to the commitments of the argument’s mover. 
Although this works fine if the underlying is monotonic, in the present approach, 
which allows defeasible arguments, this is different. 


Legality of Moves The definition of the Legal function is completed as follows. 
For all M € Moves and all D € Pow*(Moves), M; € Legal(D) iff the above 
conditions and the following conditions are satisfied. 


7. Each move must leave the mover’s commitments classically consistent; 
8. If Act(M;) = concede vy, then 

(a) Comms p,_,(Player;) ¥ 9; 

(b) Comms p,_,(Player,;) do not justify 7; 
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9. If Act(M;) = retract y, then 
(a) p € Comms p,_, (Player ;); and 
(b) ~ was explicitly added to Comms p,_, (Player,). 
10. If Act(M;) = why y, then Comms p,_,(Player;) do not justify y. 
11. If Act(M;) = argue(@, so vy), then 
(a) all preceding moves M; € D with Act(M;) = why ¢; (yi € ®) are out; 
(b) If M; replies to an argue move M,;, then M; has no child concede(@, so 
y). 


As for Condition 7, note that a commitment set which supports two conflicting 
defeasible arguments does not have to be classically inconsistent. Whether it is, 
depends on the underlying logic for constructing arguments. Many logics allow 
the consistent expression of examples like “Tweety is a bird, birds generally fly, 
but Tweety does not fly’. This enables such moves as “I concede your argument 
as the general case, but in this case I have a counterargument ..” 

Condition 8a says that a proposition may only be conceded if the mover 
is not committed to it. (This allows conceding a proposition that is defeasibly 
implied by the player’s own commitments.) Condition 8b forbids conceding a 
proposition if the opposite is justified by the player’s own commitments. 

Condition 9 is obvious. Condition 10 allows retractions of ‘explicit’ commit- 
ments only. This forces a player to explicitly indicate how an implied commit- 
ment is retracted. Condition 1la forbids moving arguments of which the premises 
are under challenge. This is [8]’s way to avoid arguments that “beg the ques- 
tion”. Finally, Condition 11b says that if an argument was already conceded, no 
counterargument can be stated any more. 


Conceding a Move Next I complete the definition of conceding a move. 


Definition 4 (Conceding a move). A move M in a dialogue D has been 
conceded iff 


— Act(M) # argue(A) and M has a surrendering child; or 
— Act(M) = argue(A) and both all premises and the inference rule of A have 
been conceded. 


Associated L-Disputes Next the notion of an L-dispute associated with a 
PPD-dispute must be defined. This notion is used in determining legality of 
counterarguments, but it can also serve to study logical properties of winning 
criteria. The idea is that during a PPD-dispute an L-dispute of arguments and 
counterarguments is constructed. A technical problem is that argue replies to 
why moves extend an argument backwards, by replacing one of its premises with 
an argument for this premise. To account for this, we must first define the notions 
of a combination of two arguments and of a modification of an argument. 


Definition 5. /Combinations of arguments.] Let (A = S, so y) and (B= 8S’, 
so w) be two arguments such that y € S. Then A® B= (S/{W})US", so y. 
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Definition 6. [Modification of arguments.] For any arguments A, B and C, A 
is a modification of A; if B is a modification of A and B ®C is defined, then 
B®C is a modification of A; nothing else is a modification of A. We also say 
that A modifies A, and B modifies A in A® B. And an argue move modifies 
another argue move if the argument moved by the first modifies the argument 
moves by the second move. 

For any move M=(p,a,m) and arguments a and b, M{a/b]=(p, argue(b),m) 
if a = argue(a); otherwise M|a/b| = M. Likewise for initial moves. 


Now the notion of the L-part of a dispute can be defined. 


Definition 7. /L-disputes of a PPD-dispute.] For any PPD-dispute D, the 
associated L-dispute L(D) is a sequence of argue moves defined as follows. 


1. T(0) =90; 
2. If Act(Mi4i1) 4 argue(A) for any A, then T(Di4i1) = T(Di); 
3. If Act(Mi41) = argue(A) for some A, then 
(a) If Mi41 replies to an argue move M;, then T(Di41) = T(Di), Miia, 
where Mj,, is Mj41 except that it replies to the move in T(Dj+1) mod- 
ified by M;; 
(b) If Misi = (p,a,m) replies to a why move replying to a claim, then 
T(Di41) = T(Di), (p, 2); 
(c) If Mi41 replies to a why yp move replying to an argue(B) move M;, then 
i. If T; contains any argue moves M;, resulting from modifications 
of M; such that their arguments C’ still have a premise y, then 
T (Dizi) = T*(Dj), where T*(D;) is obtained from T(D,) by re- 
placing C in all such My with C@ A, and then adjusting the targets 
of moves when these targets have been changed. 
ti. Else T(Diz1) = T(Di), Mj, where Mj is obtained from Mj by re- 
placing B with B@ A. 


So the construction of an L-dispute starts with the empty set, and each PPD- 
move other than an argue move leaves its content unchanged. As for argue PPD- 
moves, two cases must be distinguished, whether it replies to another argue move 
or to a why move. In the first case the argue move can simply be added to 
the L-dispute, but the second case is more complex. Again two cases must be 
considered. If the replied-to why move itself replied to the initial claim, then 
the argue is the root of a new dialectical tree, so the move to which it replies 
must be omitted, to turn it into an initial move. Finally, if the replied-to why y» 
move challenged the premise of an argument B, then again two cases must be 
considered. If the L-dispute contains modifications of A that still contain premise 
y, then these modifications (if not equal to B itself) were triggered by a why 
attack on another premise of B. In that case y must in all these modifications 
be replaced with the premises of A. Note that if no such other why attacks were 
made, this boils down to modifying B itself. (Note also that if in T, M; replies 
to M;, and M; is then modified by M;, from then on M; replies to the modified 
move.) If, however, no modification of B in the L-dispute contains a premise y, 
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then moving A was an alternative to an earlier reply to the why y move. Then we 
must add to the L-dispute an alternative modification of the original argue(B) 
move, with B @ A (note that the original move was not in T; any more). 

In general an L-dispute is a collection of trees, since a why reply to the initial 
move can be answered with alternative arguments. So the condition of the general 
framework that an argue move M is legal in the associated L-dispute means that 
M is legal in the tree contained in this dispute that itself contains Move(M). 


Winning As for winning, several definitions are conceivable. Part of the aim of 
the present framework is to provide a setting in which the alternatives can be 
compared. In the present protocol I simply turn the necessary conditions of the 
general framework into a necessary-and-sufficient condition. 


Definition 8. For any dispute D, Winner(D) = p iff PlayerToMove(D) = D 
and Legal(D) = 0. 


It is immediate that if p wins D, then M; in D is labelled p’s way. However, the 
same does not always hold for the associated L-dispute. Consider the following 
dispute D (In the examples below I leave the replied-to move implicit if it is the 
preceding move, and P; and O; stand for turns of a player.) 


Pi: claim p Oy: why p 
P2: argue(q,q > p, $0 p) Oo: arque(q,r,g \r > 7p, 80 7p) 
P3: why r Oz: concede p (to P;) 


Now P has won, but T(D) = P2, Oo, in which P2 is out and Og is in. So a player 
can lose by unforced surrenders. 

It also holds that if O has won, P is not committed to his main claim any 
more. This is since if all other moves have become illegal for P, he can still 
surrender to O’s initial why attack. However, it does not hold that if P has won, 
O is always committed to P’s main claim y. This is since O might have moved 
an argument with premise —y and in the course of the dispute retracting y may 
have become irrelevant and thus illegal, so that conceding M, has also become 
illegal. Future research should reveal whether this is a problematic property of 
the protocol. 


4 Examples of Dialogues 


Example 1. Most argumentation logics do not allow counterarguments to deduc- 
tively valid arguments. If such a logic underlies our protocol, then conceding the 
premises of such an argument can cause a loss. Consider 


Pi: claim p Oy: why p 
P2: argue(q,q D p, 80 p) Oz: concede q, concede q D p 


Now O is still to move, and her only legal moves are concede({q,q > p} implies 
q) and concede p, after which moves P is still in so O cannot move. 
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Example 2. The next example (on the Nixon diamond) shows that a player can 
lose with a poor move even if the player’s own commitments support a valid 
counterargument. Suppose Commsg(p) = {Qx => Px, Qn} and consider 


Py: claim ~Pn Oy: why ~Pn 
P2: argue(Rn, Ra => —Px, so ~Pn) Oz: concede Rn, concede Rx => =Px, 
concede —Pn (to P,). 


Now P wins while O could instead of conceding P; have attacked it with ar- 
gue(Qn, Qz => Px, so Pn). Note also that if O had not conceded P,’s premises, 
then conceding —Pn would have violated condition 8b on move legality. 


Example 3. The next dispute shows that a player can sometimes use the other 
player’s commitments against that player (the commitments are shown each time 
when they have changed). 


Move Comms p(P) Comms p(O) 
{s>-7qrAt=>p} [s>-7qrAt =p} 

Pi: claim p {s=>-79q,r \t => p,p} 

Oi: why p 


Po: argue(r,s,r \ 8s > p, so p)\{s > 7q,r At > p,p, 
r,s,r/\ 8 => p} 

O2: concede r, {sSn7qrAt>p,qr 
argue(q,q => t,t 18, 80 78) q=> t,t > 78,78} 


At this point, O’s commitments justify p, since they contain an implicit argu- 
ment for p. Suppose P next moves this argument. Then O can in turn use a 
counterargument supported by P’s commitments. 


Ps: argue(r,q,q > t, {s => n7q,r At > p,p, 
rAt => p, 80 p) r,8, 


Tr, t, 


{s> 7q,rAt>p,qr 
q=> t,t > 78,78} 


Os: argue(s, 8 => 7q, so 7q) 


And the dispute continues. 


Example 4. Next J illustrate the construction of an D-dispute. I first list a PP D- 
dispute and then the construction of the associated L-dispute. 


P,: claim p Oi: why p 
P2: argue(q,q > Pp, 80 p) Oo: argue(r,r => 7p, so 7p) 
P3: argue(s,t,s At = p, so p) (P3 jumps back to O;) 

O3: why s 


P,: argue(u,u => s, so 8) O4: argue(v,v => Tu, so TU) 
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Ps: argue(a,xz => s, sos) (Ps jumps back to O3) 
Os: argue(y, y > 72, 80 72) 
Pe: argue(z,z => 7r, so 7r) (Ps jumps back to O2) 
(Og jumps back to P3) Og: why t 
Pz: argue(k, k = t, sot) 


The associated L-dispute is constructed as follows. The first two arguments are 
added with Pz and Oz, so (denoting disputes with their last move and listing 
the replied-to moves between square brackets): 


T(P2) = Pp 
T (Oz) = Pz, O2[Po] 


So far, T’ contains just one dialectical tree. A second tree is created by P3, which 
is an alternative argue reply to O’s why attack on P’s main claim. Hence 


T(P3) = Pz, O2[P2], Ps 


With P, the first modification of an argument in T takes place. P3’s argument 
is combined with P,’s argument for s (displayed with overloaded @). 


T(P1) = Po, O2[P2], P3 ® Pa 
O4 simply adds a new argument, which replies to P3; as modified by P,. 
T(O4) = Pz, O2[P2], P3 ® Pa, Os[P3 @ Pa] 


Ps splits the second tree in T into two alternative trees, by giving an alternative 
backwards extension of its root. Then Os simply extends the newly created tree, 
after which Ps extends the first tree in T’. 


T (Ps) = P2, O2|P2], Ps ® P,, O4[P3 ® Py], P3 ® Ps 
T(O5) = Pe, O2[P2], P3 ® Ps, Oa[P3 ® Pa], P3 ® Ps,O5|P3 ® Ps] 
T(Ps) = P2, O2[P2], Pg[O2], P3 ® Pa, Os[P3 © Pa], P3 © P5,O5[P3 © Ps] 


Finally, P; illustrates an interesting phenomenon. It replaces the second premise 
of O3 with an argument; however, O3 was already modified twice in two alterna- 
tive ways with respect to its first premise, so P7 actually modifies both of these 
modifications of O3. This results in the following final L-dispute. (Note also that 
the targets of O4 and Os have been replaced with their extended versions. ) 


P2: 1,9 => p, sop 
Oo: r,7 => ap, so ap [P39] 
Ps: 2,2 => ar, so mr [O}] 


P3®P,®Pruuss,k,k>t,sAt=> p, sop 
P3®P38@Pr24,0>s8,k,k >t, sAt=>p, sop 
Oa: v,uv => Tu, so au [P3 ® Py @ O7] 
Os: Y,Y => 72, 80 7x [P3 ® Ps ® O7] 
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Alternative Instantiations To discuss some alternative instantiations of the 
framework, note first that alternative definitions of winning may be possible, for 
instance, in terms of what is implied by the players’ commitments. Secondly, as 
for maintaining consistency of one’s commitments, some protocols allow incon- 
sistency but give the other party the option to demand resolution of the conflict; 
a similar resolve move is possible if a commitment is explicitly retracted but 
still implied by the remaining commitments [8, 14]. Thus the burden of proving 
inconsistency or implicit commitment is placed upon the other party. Finally, as 
for replies to why moves, the obligation to reply to it with an argument for the 
challenged claim could be made dependent on questions of the burden of proof. 


Features and Restrictions of the Framework The framework of this paper 
is flexible in some respects but restricted in some other respects. It is flexible, 
firstly, since it allows for different sets of speech acts, and different commitment 
rules, underlying logics and winning criteria. It is also ‘structurally’ flexible, in 
that it allows for backtracking, including jumping to earlier branches, and for 
postponing replies to move (even indefinitely if the move has become irrelevant). 
This flexibility is induced by the notion of relevance. 

However, the framework also has some restrictions. For instance, the condi- 
tion of relevance prevents the moving in one turn of alternative ways to change 
the status of the main claim. Further, the requirement that each move replies 
to a preceding move excludes some useful moves, such as lines of questioning 
in cross-examination of witnesses, with the goal of revealing an inconsistency in 
the witness testimony. Typically, such lines of questioning do not want to reveal 
what they are aiming at. The same requirement also excludes invitations to re- 
tract or concede [8, 14]. Finally, the framework only allows two-player disputes, 
leaving no room for, for example, arbiters or judges. 


Related Research There have been some earlier proposals to combine formal 
dialogue systems with argumentation logics. Important early work was done by 
Loui [7], although he focussed less on speech act aspects. A major source of 
inspiration for the present research was Tom Gordon’s model of civil pleading 
in anglo-american law [4] (cf. also [6]). Gordon presents a particular protocol 
rather than a framework. The same holds for a recent proposal in the context of 
multi-agent negotiation systems [1]. Finally, [3] shows how protocols for multi- 
party disputes can be formalised in situation calculus. Brewka focuses less on 
dialectical and relevance aspects but more on describing the ‘current state’ of a 
dispute and how it changes. His approach paves the way for, for instance, formal 
verification of consistency of protocols. 


Conclusion This paper has presented a formal framework for persuasion dia- 
logues with counterargument, and has given one detailed instantiation. Unlike 
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earlier work, the framework is based on some general design principles, notably 
the distinction of attacking and surrendering replies to a move, and the notions 
of dialogical status and relevance of moves. The framework’s instantiation also 
provided a still generic notion of an argument-counterargument dispute associ- 
ated with a persuasion dialogue; I expect that this notion will provide a basis 
for investigating logical properties of the protocol, especially of its winning con- 
ditions. 

Being a first attempt to provide a general framework, the focus of this paper 
has been more on definition than on technical exploration. Much work needs to 
be done on investigating its properties. In fact, one aim of this paper was to 
make this further work possible. 
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Abstract. This paper presents dialectical proof theories for Dung’s pre- 
ferred semantics of defeasible argumentation. The proof theories have the 
form of argument games for testing membership of some (credulous rea- 
soning) or all preferred extensions (sceptical reasoning). The credulous 
proof theory is for the general case, while the sceptical version is for 
the case where preferred semantics coincides with stable semantics. The 
development of these argument games is especially motivated by applica- 
tions of argumentation in automated negotiation, mediation of collective 
discussion and decision making, and intelligent tutoring. 


1 Introduction 


An important approach to the study of nonmonotonic reasoning is that of logics 
for defeasible argumentation (for an overview see [25]). Within this approach, 
a unifying perspective is provided by the work of [9] and [4] (below called the 
‘BDKT framework’). It takes as input a set of arguments ordered by a binary 
relation of ‘attack’, and it produces as output one or more ‘argument extensions’, 
which are maximal (in some sense) sets of arguments that survive the compe- 
tition between all input arguments. A definition of argument extensions can be 
regarded as an argument-based semantics for defeasible reasoning. BDKT have 
developed various alternative such semantics, and investigated their properties 
and interrelations. They have also shown how many nonmonotonic logics can be 
recast in their framework. Thus their framework serves as a unifying framework 
not only for defeasible argumentation but also for nonmonotonic reasoning in 
general. 

The BDKT framework exists in two versions. The version of [9] completely 
abstracts from the internal structure of arguments and the nature of the attack 
relation, while the version of [4] is more concrete. It regards arguments as sets of 
assumptions that can be added to a theory formulated in a monotonic logic in 
order to derive defeasible conclusions, and it defines attack in terms of a notion 
of contrariness of assumptions. 

Besides a definition of argument-extensions, it is also important to have a test 
for extension membership of individual arguments, i.e., to have a proof theory 
for the semantics. A natural (though not the only) form of such proof theories 
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is the dialectical form of an argument game between a defender and challenger 
of an argument [18, 29, 8, 5, 26, 24, 14]. The defender starts with an argument 
to be tested, after which each player must attack the other player’s arguments 
with a counterargument of sufficient strength. The initial argument is provable 
if its defender has a winning strategy, i.e., if he can make the challenger run out 
of moves in whatever way she attacks. The precise rules of the argument game 
depend on the semantics which the proof theory is meant to capture. 

For [4]’s assumption-based version dialectical proof theories have been studied 
by [15]. However, for [9]’s abstract version only the so-called ‘grounded (sceptical) 
semantics’ has been recast in dialectical style, viz. by [8]. Grounded semantics 
is sceptical in the sense that it always induces a unique extension of admissible 
arguments: in case of an irresolvable conflict between two arguments, it leaves 
both arguments out of the extension. For the other semantics of [9], which in case 
of irresolvable conflicts all induce multiple extensions, dialectical forms must still 
be developed. This paper contributes to this development: it presents a dialectical 
argument game for perhaps the most important multiple-extension semantics of 
[9], so-called preferred semantics. In fact, we shall present two results: a proof 
theory for membership of some preferred extension (credulous reasoning) and the 
same for membership of all preferred extensions (sceptical reasoning, although 
only for the case where preferred semantics coincides with stable semantics). 

It should be motivated why proof theories for the most abstract version of the 
BDKT framework are important besides their counterparts for the assumption- 
based version. Kakas & Toni’s work is very relevant when arguments can be 
cast in assumption-based form. In many applications this is possible, but in 
other applications this is different. For instance, argumentation has been used 
as a component of negotiation protocols, where arguments for an offer should 
persuade the other party to accept the offer [16, 20]. Argumentation is also 
part of some recent formal models and computer systems for dispute mediation 
(10, 11, 6], and it has been used in computer programs for intelligent tutoring: 
for instance, in a system (Belvedere) that teaches scientific reasoning [27] and 
in systems that teach argumentation skills to law students, e.g. [1]’s CATO 
system and [28]’s ARGUE system. Now in many applications of these types, 
arguments have a structure that cannot be naturally cast in assumption-based 
form. For instance, they can be linked pieces of unstructured natural-language 
text (cf. Belvedere or Gordon’s ZENO system), or they consist of analogical uses 
of precedents, such as CATO’s arguments. It is especially for such applications 
that proof theories for [9]’s abstract framework are relevant. 

It should also be motivated why a proof-theory for preferred semantics is im- 
portant despite the pessimistic results on computational complexity recorded 
by [7]. To start with, these pessimistic results concern worst-case scenarios, and 
cases might be identified where computation of preferred semantics is still fea- 
sible. Moreover, as demonstrated by e.g. [21, 18], logics for defeasible argumen- 
tation provide a suitable basis for resource-bounded reasoning: dialogues corre- 
sponding to such logics can be interrupted at any time such that the intermediate 
outcome is still meaningful. Finally, there is a possible use of argument-based 
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proof theories which does not suffer from the computational complexity, viz. in 
automated mediation and tutoring. In, for instance, mediation systems for nego- 
tiation or collective decision making, and also in systems for intelligent tutoring, 
the search for arguments and counterarguments is not performed by the com- 
puter, but by the users of the system, who input their arguments into the system 
during a discussion. In such applications the argument-based proof theory can 
be used as a protocol for dispute: it checks whether the users’ moves are legal, 
and it determines given only the arguments constructed by the users, which of 
the participants in a dispute is winning. (See e.g. [23] for a logical study of this 
use of dialectical proof theories). 

Finally, we must motivate why argument-game versions are important besides 
other argument-based proof theories, such as [21]’s proof theory for his system, 
which is based on preferred semantics. This has to do with applications in fields 
like mediation and tutoring. In these fields, argumentation has been used as 
a component of several computational dialogue systems based on speech acts, 
such as models of legal procedure, [10, 13, 3, 17], discourse generation systems 
[12], multi-agent negotiation systems [20, 2], and intelligent tutoring [19]. In our 
opinion, the dialectical form of an argument game is ideally suited for embedding 
in such dialogue systems (see [22] for a formal study of such embeddings). 

The structure of this paper is as follows. In Section 2 we provide an overview 
of the basics of the BDKT framework. In Section 3 we discuss with the help of 
examples which features our argument games should have. Then we define the 
credulous argument game in Section 4 and the sceptical game in Section 5, after 
which we discuss some limitations in Section 6. 


2 Definitions and Known Results 


In this section we review the basics of the BDKT framework, as far as needed 
for present purposes. The input of the system is a set of arguments ordered by 
an attack relation. 


Definition 1. (Argument system [9]). An argument system A is a pair 
A= (X,=), (1) 


where X is a set of arguments, and — is a relation between pairs of arguments 
in X. The expression a — b is pronounced “a is attacked by b,” “b is an attacker 
of a,” or “b is a counterargument of a”. 


Example 1. The pair A= (X,<—) with arguments 
x = {a, b,c, d,e, f,g,h, 1,7, k,l, m,n, p, q} 


and « as indicated in Figure 1 is an (abstract) example of an argument system. 
It accommodates a number of interesting cases and anomalies, and will therefore 
be used as a running example throughout this paper. 
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Fig. 1. Attack relations in the running example. 


In practical applications it is necessary to further specify the internal structure 
of the arguments and the relation —. See e.g. [30]. However, for the purpose of 
this paper it not necessary to do so; at present it suffices to know that there are 
arguments, and that some arguments attack other arguments. 

The output of the system is one or more argument extensions, which are sets 
of arguments that represent a maximally defendable point of view. The different 
semantics of the BDKT framework define different senses of ‘maximally defend- 
able’. We list the definitions of two of them, stable and preferred semantics. 


1. An argument a is attacked by a set of arguments B if B contains an attacker 
of a. (Not all members of B need attack a.) 

2. An argument a is acceptable with respect to a set of arguments C, if every 
attacker of a is attacked by a member of C: for example, if a — b then bc 
for some c € C. In that case we say that c defends a, and also that C' defends 
a. 

3. A set S of arguments is conflict-free if no argument in S attacks an argument 
in S. 

4. A conflict-free set S of arguments is admissible if each argument in S is 
acceptable with respect to S. 

5. A set of arguments is a preferred extension if it is a C-maximal admissible 
set. 

6. A conflict-free set of arguments is a stable extension if it attacks every ar- 
gument outside it. 


The following results of [9] will be used in the present paper. 
Known results. (from [9/) 


Each admissible set is contained in a C-mazximally admissible set 
Every stable extension is preferred. 

Not every preferred extension is stable. 

Stable extensions do not always exist; preferred extensions always exist. 
Stable and preferred extensions are generally not unique. 


as woh 
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3. The Basic Ideas Illustrated 


In this section we discuss with the help of examples which features our argument 
games should have. 

Our game for testing membership of some extension is based on the following 
idea. By definition, a preferred extension is a C-maximal admissible set. It is 
known that each admissible set is contained in a maximal admissible set, so 
the procedure comes down to trying to construct an admissible set ‘around’ the 
argument in question. If this succeeds we know that the admissible set, and 
hence the argument in question, is contained in a preferred extension. 

Suppose now we wish to investigate whether a is preferred, i.e., belongs to 
a preferred extension. We know that it suffices to show that the argument in 
question is admissible. The idea is to start with S = {a}, which most likely is 
not admissible. (Because S' is small, and small sets are usually conflict-free but 
not admissible.) So other arguments must be found (or constructed) in order to 
complete S into an admissible set. 


Procedure. (Constructing an admissible set). Let a be an argument for which 
we try to construct an admissible set. This task can best be divided in two sub- 
tasks: 


Task 1: Let us suppose this task is performed by person PRO, who assumes 

construc- a constructive role by trying to show that a is contained in an ad- 

tion. missible set. To this end, PRO examines if there are arguments that 
attack his arguments constructed thus far. If there is such an ar- 
gument, PRO tries to attack it by trying to construct an argument 
that attacks the original attacker (acceptability). If PRO has found 
such an argument, it must be consistent with his previous arguments 
(conflict-freeness). 


PRO’s role is purely defensive: his goal is to incorporate defenders against at- 
tacks constructed thus far — not to extend his collection of arguments per sé. To 
the contrary, in fact: PRO’s goal is to keep his collection of arguments as small 
as possible, because PRO is more vulnerable if he (or she)! has more arguments 
to defend. 


Task 2: This task is performed by person CON, who assumes a critical role 
criti- by trying to find counterarguments to arguments advanced by PRO. 
cism. Ina way, CON’s aim is to ‘make PRO talk’ in the sense that PRO 


is more vulnerable if he has more arguments to defend. 


The procedure formulated here is not necessarily adversarial: one way to look 
at it is to say that CON helps PRO by attending him to arguments that might 
invalidate PRO’s collection of admissible arguments. 


' From here on we will use the generic masculine form, intending no bias. 
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Example 2. (Straight failure). Consider the argument system that was presented 
at the beginning of this paper. Suppose PRO’s task is to show that a is preferred. 
Since preferred extensions are maximally admissible sets it suffices for PRO to 
show that a is admissible, i.e., that a is contained in an admissible set. 


The first action of PRO is 
simply putting forward a: a 


If a can’t be criticized, i-e., if there are no attackers, then S = {a} is admissible, 
and PRO succeeds. However, since a — h, 


CON forwards h: 


Now it is up to PRO to defend a by finding arguments against h. There are no 
such arguments, so that PRO fails to construct an admissible set ‘around’ a. So 
a is not admissible, hence not preferred. 


Example 3. (Straight success). Suppose that PRO wants to show that b is ad- 
missible. 


The first action of PRO is 
putting forward b: ( ob 


CON attacks 6 with d: d 


- 
PRO defends this attack d 
with g: y \ 

b g 
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Since CON’s attack on b d 
with d has failed, CON 


returns to b and attacks it J: ao 
again, this time with e: b g 


PRO defends b again, this 
time with h. Since CON is 


unable to find other i \— 
: g 
argument against b, g or h, — z 


PRO may now close S: 


Example 4. (Even loop success). Suppose that PRO wants to show that f is 
admissible. 


The first action of PRO is 
putting forward f: 


CON attacks f with n: 


PRO defends this attack 


with 2: ‘ 


CON attacks 7 with j: n j 


PRO defends 7 with 7 itself n j 
(so that 7 is self-defending). 

CON is unable to put Z Nae 
forward other arguments f i 
that attack f or 7 so that 

PRO closes S: 


This example shows that PRO must be allowed to repeat his arguments, while 
CON must be forbidden to repeat CON’s arguments (at least in the same ‘line 
of dispute’; see further below) 
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Example 5. (Odd loop failure). Suppose that PRO wants to show that m is 
admissible. 


The first action of PRO is 
putting forward m: 


CON attacks m with lI: 


PRO defends this attack 


with p: y ‘ 
m 


Pp 

CON attacks p with h: i h 

m Pp 
PRO backtracks and i 
removes p from S$. He then 
tries to defend | with k Z EN 
instead: m k 
CON attacks k with m l m 
(and, as a bonus, 
introduces an inconsistency i: ae —— 
in S): m k 


PRO has no other arguments in response to | and m, so that he is unable to 
close S' into an admissible set. So m is not contained in an admissible set. Note 
that we cannot allow PRO to reply to m with I, since otherwise the set that 
PRO is constructing ‘around’ m is not conflict-free, hence not admissible. So 
we must forbid PRO to repeat CON’s moves. On the other hand, this example 
also shows that CON should be allowed to repeat PRO’s moves, since such a 
repetition reveals a conflict in PRO’s position. 


Example 6. (The need for backtracking). Consider next an argument system 
with five arguments a,b,c,d and e and attack relations as shown in the graph. 
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This example shows that we must allow CON to backtrack. Suppose PRO starts 
with a, CON attacks a with d, and PRO defends a with e. If CON now attacks 
e with b, PRO can defend e by repeating e itself. However, CON can backtrack 
to a, this time attacking it with c, after which PRO’s only move is defending a 
with b. Then CON can repeat PRO’s move e, revealing that PRO’s position is 
not conflict-free. 


Repetition Let us summarise our observations about repetition of moves. If 
PRO can defend an argument by using one of his previous arguments that is not 
backtracked, then should PRO do that? Further, does it make sense for PRO 
to repeat arguments advanced by CON? The same questions can be asked for 
repetitions by CON. 


i. It makes sense for PRO to repeat itself (if possible), because CON might 
fail to find or produce a new attacker against PRO’s repeated argument. 
If so, then PRO’s repetition closes a cycle of even length, of which PRO’s 
arguments are admissible. 

ii. CON should repeat PRO (if possible), because it would show that PRO’s 
collection of arguments is not conflict-free. 

iii. PRO should not repeat CON, because it would introduce a conflict into 
PRO’s own collection of arguments. 

iv. It does not make sense if CON repeats itself, because PRO has already 
shown to have adequate defense for CON’s previous arguments. 


Finally, we show that CON should be allowed to repeat CON’s arguments 
when they are from different ‘lines’ of a dispute. A dispute line is a dispute 
where each move replies to the immediately preceding move; i.e., in a dispute 
line no backtracking is allowed. 


Example 7. (repetition from different lines) 
c 
e a ™~ b 
Soe 


————_ a 


Suppose PRO starts a dispute for a and CON attacks a with 6. Then PRO has 
two alternative ways to defend a, viz. with c and with d, but CON must be 
allowed to reply to each of them with e. 
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4 The Credulous Argument Game Defined 


We now turn to the formal definition of our argument games, starting with the 
credulous game. During a dispute a tree of dispute lines is constructed. This can 
be illustrated with the following format of disputes, taken from [29]. 


Example 2: Example 3: 
1.|PRO: a 1.|PRO: b 
2. || CON: ht 2. || CON: d 

3. ||| PRO: gt 

4. || CON: e 

5. ||| PRO: ht 
Example 4: Example 5: 
1.|PRO: f 1.|PRO: m 
2. || CON: n 2. || CON: 1 
3. ||| PRO: i 3. ||| PRO: p 
A. |||| CON: 9 4. |||| CON : ht 
5. ||||| PRO: 7 (iv) 5. |||PRO: k 

6. |||| CON : m (iii) 

The vertical bars “|||” indicate the level of the dispute, i.e., the depth of the 


tree. E.g., in Ex. 3, PRO responded to a response of CON (level 3), after which 
CON backtracks (level 2) to try a new argument against b. 

The “{”-symbol means that the player cannot respond to the last argument 
of the other player, while the “t”-symbol means that the player is unable to 
respond to all arguments of the other player presented thus far. A number in 
the range (i-iv) means that a next move of the player would make no sense on 
the basis of the corresponding repetition guideline. 


Rules and Correspondence To establish a precise correspondence between 
disputes and preferred extensions, it is necessary to make the terminology more 
precise and to define the rules under which a dispute is conducted. 
- A move is simply an argument (if the first move) or else an argument attack- 
ing one of the previous arguments of the other player. 
- Both parties can backtrack. 


An eo ipso (meaning: “you said it yourself”) is a move that uses a previous 
non-backtracked argument of the other player. 

- A block is a move that places the other player in a position in which he cannot 

move. 

- A two-party immediate response dispute (TPI-dispute) is a dispute in which 
both parties are allowed to repeat PRO, in which PRO is not allowed to 
repeat CON, and in which CON is allowed to repeat CON iff the second use 
is in a different line of the dispute. CON wins if he does an eo ipso or blocks 
PRO. Otherwise, PRO wins. 
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A main argument of a TPI-dispute is defended if the dispute is won by PRO. 


Proposition 1. (Soundness and completeness of the credulous game). An ar- 
gument is in some preferred extension iff it can be defended in every TPI-dispute. 


Proof. By definition of preferred extensions it suffices to show that an argument 
is admissible iff it can be defended in every dispute. 

First suppose that a can be defended in every dispute. This includes disputes 
in which CON has opposed optimally. Let us consider such a dispute. Let A be 
the arguments that PRO used to defend a. (in particular a € A.) If A is not 
conflict-free then a; — a; for some a;,aj; € A, and CON would have done an eo 
ipso, which is not the case. If A is not admissible, then a; — b for some a; € A 
while b <+/ A. In that case, CON would have used 6 as a winning argument, 
which is also not the case. Hence A is admissible. 

Conversely, suppose that a € A with A admissible. Now PRO can win every 
dispute by starting with a, and replying with arguments from A only. (PRO can 
do this, because all arguments in A are acceptable wrt A.) As long as PRO picks 
his arguments from A, CON cannot win by eo ipso, because A is conflict-free. 
So a can be defended in dispute. 


5 The Sceptical Argument Game Defined 


Above, PRO tries to show that the main argument is contained in a preferred 
set. This is known as credulous reasoning. If PRO wishes to verify whether 
the main argument is contained in all preferred sets, then PRO does sceptical 
reasoning. Before defining an argument game for this kind of reasoning, we must 
first explain why for sceptical reasoning it is relevant to study preferred semantics 
besides [9]’s grounded semantics, which is also meant for sceptical reasoning. 
The reason is that grounded semantics is too weak to capture certain types of 
sceptical conclusions. 


Example 8. (Floating arguments.) Consider the arguments a, b,c and d with the 
attack relations as shown in the picture. 


Since no argument is unattacked, the grounded extension is empty. However, 
this example has two preferred extensions, {a,d} and {b,d}, and both of them 
contain d. 
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Next we illustrate that there are cases where an argument system has a unique 
preferred extension but not all of its elements are contained in the grounded 
extension. 


Example 9. Consider four arguments a,b,c and d with the attack relations as 
shown in the picture. 


The unique preferred extension is {c}, so c is sceptically preferred, but the 
grounded extension is empty, since none of the arguments are unattacked. 


We now define the sceptical argument game. A result for sceptical reasoning 
can be obtained by observing that a dispute is symmetric, since CON also may 
be given the task to construct an admissible set, viz. for the attackers he uses. 
If CON succeeds, he has shown that there exists at least one admissible set not 
including the main argument. 


Proposition 2. (Soundness and completeness of the sceptical game). In argu- 
ment systems where each preferred extension is also stable, an argument is in all 
preferred extensions iff it can be defended in every TPI-dispute, and none of its 
attackers can be defended in every TPI-dispute. 


Proof. This result can be proven on the basis of the previous proposition, and 
by the fact that a stable extension attacks every argument outside it. 

Consider any argument system where all preferred extensions are stable. For 
the only-if-part of the equivalence, consider any argument a that is in all pre- 
ferred extensions. Then (by assumption that these extensions are also stable) 
all attackers of a are attacked by all such extensions, so by conflict-freeness of 
preferred extensions, none of these attackers is in any such extension. But then 
none of a’s attackers is credulously provable. 

For the if part, Let a be any argument that is credulously provable and such 
that none of a’s attackers are credulously provable. Then none of these attackers 
is in any preferred extension, so (by assumption that these extensions are also 
stable) they are attacked by all such extensions. But then a is defended by all 
these extensions, so they all contain a. 


The following example shows that this result does not hold in general. 
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Example 10. Consider: 


() 
|! 


d 
Se oe? 


a is contained in one preferred extension, viz. E, = {a,c}, but not in the other 
preferred extension, which is E2 = {d}. Note that the self-attacking argument 
prevents a from being a member of E although 0 is not itself a member. The 
problem is that E2 does not attack 6 so that a is not acceptable with respect to 
FE. This situation cannot arise when all preferred extensions are stable, since 
then they attack all arguments outside them. 


6 Discussion 


The present paper has provided simple and intuitive argument games for both 
credulous and sceptical reasoning in preferred semantics. However, there are still 
some limitations and drawbacks. 

A limitation is, of course, that the sceptical game is not sound and complete in 
general. A first drawback is the fact that the sceptical game actually consists of 
two parallel games, which is less elegant in applications in mediation and tutoring 
systems. In future research we hope to improve the games in both respects. 

Another drawback is that in some cases proofs are infinite. This is obvious 
when an argument has an infinite number of attackers, but even otherwise some 
proofs are infinite, as in the following example. 


Example 11. (Infinite attack chain.) Consider an infinite chain of arguments 
@1,---,@n,--- Such that a, is attacked by ag, az is attacked by a3, and so on. 


ay < ag «< a3 a4 a5 


PRO can win a game for a, (or for any other argument) since CON is never 
able to move a block, but PRO neither has a blocking move available. 


Nevertheless, it is easy to verify that with a finite set of arguments all proofs are 
finite. 
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Abstract. We extend our general approach to characterizing informa- 
tion to multi-agent systems. In particular, we provide a formal descrip- 
tion of an agent’s knowledge containing exactly the information conveyed 
by some (honest) formula y. 

Only knowing is important for dynamic agent systems in two ways. First 
of all, one wants to compare different states of knowledge of an agent 
and, secondly, for agent a’s decisions, it may be relevant that (he knows 
that) agent b does not know more than y. 

There are three ways to study the question whether a formula y can 
be interpreted as minimal information. The first method is semantic and 
inspects ‘minimal’ models for y (with respect to some order < on states). 
The second one is syntactic and searches for stable expansions, minimal 
with respect to some language £*. The third method is a deductive test, 
known as the disjunction property. We present a condition under which 
the three methods are equivalent. 

Then, we show how to construct the order < by collecting ‘layered or- 
ders‘. We then focus on the multi-agent case and identify languages L* 
for several orders <, and show how they yield different notions of hon- 
esty for different multi-modal systems. Finally, some consequences of the 
different notions are discussed. 


Classification. Knowledge representation, Non-classical logics. 


1 Introduction 


What is a knowledge state? To answer this question, we give a general approach 
to characterizing information in a modal context. In particular, we want to obtain 
a formal description of an agent’s knowledge containing exactly, that is, at least 
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but not more than the information conveyed by some formula y, in other words, 
the case in which ¢ is the agent’s only knowledge. Characterizing an agent’s 
exact knowledge state is important in dynamic agent systems in several ways. 
First of all, when the system evolves, one might wish to compare the different 
states of one agent: which actions (or, more specifically moves) optimally extend 
his knowledge? Secondly, in multi-agent systems, agent a may wish to be sure 
that all that b knows is y, and exploit the fact that b does not know more 
than that. Finally, when such agents start to exchange information, they must 
be aware of principles governing their communication: Usually utterances are 
intended to convey minimal knowledge with respect to some domain (Grice’s 
maxim of quantity). 


Formulas ¢ representing all that the agent knows, are called honest. For the 
one-agent case, some observations about only knowing and honesty are well- 
accepted. For instance, where purely objective formulas are rendered honest, a 
typical example of a dishonest formula is y = (Op V Og): if an agent claims 
to only know y, he would know something that is stronger than  (i.e., either 
p or Og). A more sophisticated analysis of honesty generally depends on the 
epistemic background logic. What is especially important here, is which intro- 
spective capacities we are ready to attribute to the agent. For example, if the 
background logic contains the axiom of positive introspection Ow — w we 
can infer ip if only p is known. This seems innocent since the inferred knowl- 
edge is still related to the initial description p. On the other hand, if we accept 
the axiom of negative introspection ~Oy — O-Ov, then we can infer knowledge 
concerning q, for example O—g, from only knowing p. This knowledge cannot 
be derived from only knowing p/q, which intuitively represents more knowledge 
than only knowing p. As we stressed in [6], this kind of inferences effects the 
treatment of honesty for different modal systems. 


For the multi-agent case, intuition seems to be much less clear. Of course, 
where objective formulas are all honest in the one agent case, this property is 
easily convertible to formulas with no operator O,, when considering honesty 
for agent a. Hence, a can honestly claim to only know Opp V Opq, for b # a. But 
if O, re-occurs in the scope of Ob», the resulting formula O,p V O,0,q becomes 
dishonest again if O, represents knowledge. With mixed operators, in particular 
in the presence of negation, matters soon get fuzzy. 


Studies of ‘only knowing’ ([3,11]) and ‘all I know’ ([8]) have largely been re- 
stricted to particular modal systems, such as $5, S4 and K45. Recently Halpern 
[2] has also taken other modal systems such as K, T and KD45 into account. 
Although his approach suggests similar results for e.g. KD4, in [6] we adopted a 
more general perspective: given any modal system, how to characterize the min- 
imal informational content of modal formulas. For multi-agent only knowing, we 
only know of a (more or less) general approach by Halpern ([2]), putting a no- 
tion of ‘possibility’ to work on tree models, and, for the S5y, case, enriching the 
language with modal operators Qs, for any formula ¢ and agent 2. 


In this paper, besides arbitrary normal multi-modal systems we prefer to 
use standard Kripke models, instead of Fagin and Vardi’s knowledge structures, 
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and Halpern’s tree models. We try to obtain this general view by putting our 
framework of [6] to work for the multi-agent case. In order to appreciate this 
fully, the reader has to realize that, in general, there are three ways to study the 
question whether a formula y allows for a minimal interpretation (if Ow allows 
for such a minimal interpretation, ~ is called honest), and, if so, what can be 
said about the consequences of y under this interpretation. 

The first approach is a semantic one: Given a formula y, try to identify 
models for y that carry the least information. This approach requires a suitable 
order < between states (i.e., model-world pairs) in order to identify minimal (or, 
rather, least) elements. For the simple (universal) $5-models the order coincides 
with the superset-relation between sets of worlds. Our challenge here is to give 
a general definition of such an order, which suits any multi-modal system. The 
second approach is mainly syntactic in nature and presupposes a sublanguage 
L* of ‘special’ formulas. Given a consistent formula y, we then try to find a 
maximally consistent set containing y with a smallest C*-part. This approach 
can be identified as the search for so-called stable expansions, which are related to 
maximally consistent sets in a straightforward way. The last approach is purely 
deductive, and is also known as the disjunction property (DP): ¢ allows for a 
minimal interpretation if for any disjunction in £* that can be derived from y, 
one disjunct is derivable from ¢. 

In [6], we were able to formulate a condition under which the three approaches 
mentioned above are equivalent. This paves the way to focus on defining ‘suitable’ 
orders on information states in a general way, rather than trying to establish the 
equivalences of the characterizations for specific orders, again and again. The 
information orders on states that we consider are induced by layered orders <n 
between states, where n settles the depth of the equivalence. 

For the one-agent case, we obtained minimality results with respect to the 
following languages (by considering appropriate orders on states): 


— L* =(OL, where C is the full modal language (general honesty). However, it 
appears that under this choice, almost every formula is honest in the systems 
K, K4, KD and KD4. On the other hand, for many other systems there 
are no honest formulas. So for most systems, the notion of general honesty 
is trivial: all or no formulas are honest. 

— £* =OL7, where Lt is the modal language where no O occurs in the scope 
of a negation (positive honesty). For 85, the corresponding notion of honesty 
coincides with the approach in [3]. Moreover, for all systems except K, KD, 
K4 and KD4, this notion of honesty is not trivial. 


For the multi-agent case, there are many more options. Generalizing the 
first language above gives rise to a notion of honesty which encounters, mutatis 
mutandis, the same problem of trivialization as states for the one agent case. The 
second, so-called positive language can be generalized in different ways, which 
for most systems lead to nontrivial notions of honesty. The anomalous cases are 
still the weak doxastic logics (generalizing an observation of Halpern in [2]): in 
KD, and KD4,, all formulas y for which O,¢ is consistent, are honest; in Km, 
and K4,n, even all formulas are honest. This means that in KD4,,, for example, 
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agent a can honestly claim that he only knows whether he knows p, which we 
believe to be counter-intuitive. 

In this paper, we present three generalizations of positive honesty: one corre- 
sponds to the ‘a-objective’ language (the formulas do not contain O,), one to the 
‘a-positive’ language (no O, in the scope of negation), and one that combines 
these two. 


2 Modal Logical Preliminaries 


Let us agree on some technicalities. Our multi-modal language £ or £4 has 
finitely many modal operators 0), 02,...,Om, over a finite set of atoms P = 
{p,q,r...}, using the classical connectives —, A and V. Here {1,2,...,m} encodes 
the set of agents A. We use a for an arbitrary agent in A on which we focus. 
The operator O, denotes “Agent a has the information that ...”, which may 
involve knowledge, belief or any other propositional attitudes. The dual modal 
operators O1, O2,..., Om are introduced by definition: O,gy = ~U,g-7y. Given a 
set of formulas I’, we define a’s knowledge about I by O,I' = {Oay | y € I} 
and a’s knowledge in Ir by OF l= {py | Gay € I}. 

A measure of modal complexity of formulas, called modal depth, has the usual 
recursive definition: d(p) = 0 (for p € P), d(>y) = d(y), d(pAw) =d(yVy) = 
max{d(y), d(w)} and d(O;y) = d(y) + 1. We often consider the sublanguage of 
formulas of limited modal depth: Ly») = {yp € L | d(y) < n}. So, Lio) is the 
purely propositional subset of £ (void of modal operators). Other sublanguages 
of interest will be defined in the sequel. 

We use multi-modal Kripke models (W, Ri,...,Rm,V) or (W,R,V) to in- 
terpret £; here wRav or v € R,[w| means that given world w, world v is an 
epistemic alternative to a. Truth is relative to a model-world pair (‘state’, for 
short). The connectives =, A and V are interpreted as usual; the modal operators 
also get the classical interpretation: M,w — Oy iff for allv € Ra[w] : M,v & ¢. 
The theory of a state (M,w) is Th(M,w) = {py | M,w — yo}. If the model is 
obvious from the context, we will omit it and simply write w = wy. Consequence 
is defined relative to a given set of models S: [ —s y iff M,w &— y for all 
MeSs.t. M,w — I. States are assumed to be related by what we call an 
information order <* for any agent a; for the time being <° is only required to 
be a pre-order (i.e. reflexive and transitive). A major question is which formulas 
are preserved moving from w to w’ if w <* w’. It will prove important to single 
out so-called persistent sublanguages of such formulas, in particular those that 
are rich enough to reversely characterize the information order. 

The inference relation - is obtained relative to a modal system S, which 
at least contains classical propositional logic and the rule defining the minimal 
system K: PF gy al’ + Oy. Formulas y and w are equivalent in S, if both 
pls wand wks vy. The logics S that we consider have the nice property that 
Lin) is finitary: since P is finite, S induces only finitely many equivalence classes. 
A set I’ is S-consistent if for some y: Ig y; I’ is maximal S-consistent (S-m.c.) 
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if S-consistent, though it cannot properly be extended to a larger S-consistent 
set. A formula y is a theorem of S if Og y, also written as kg y. 

Here are some familiar axioms and their corresponding condition on the 
accessibility relation: T Oy — (reflexivity); D Ouy — Oayp (seriality); 4 
ap > O.Uay (transitivity); 5 Oap > Oday (Euclidicity); By - Oa ay 
(symmetry); G Oday — OaOay (confluence). 

Axiom 4 is also known as “positive introspection”; axiom 5 in its equivalent 
form -O,y — O,-Oay is known as “negative introspection”. Unimodal systems 
(involving only one agent’s modality) are characterized by their constituting rules 
and axioms: K, KD, KD4, KD45, etc. If S is a standard modal system, then 
Sm is its m-agent counterpart. A state verifies a logic S if it verifies all the 
theorems of S. 


3 Minimal Information in Multi-modal Logic 


Suppose we have an information order <® on states. When do we consider the 
information y to be minimal for agent a? We suggest that y constitutes minimal 
information for a, or that y is a-honest, if Oy is true in a least state (M, w). 


Definition 1. A formula ¢ is a-honest with respect to S and <° iff there is an 
S-state (M,w) such that M,w — Cay and 


M',w' — Op => M,w <* M’,w’ for all S-states (M’,w’). 


This characterization of minimal information may however not always be conve- 
nient. In some cases one would prefer a syntactic characterization, a deductive 
test, or a combination of these. This can be achieved by relating the informa- 
tion order <* to a proper sublanguage £° through persistence [for all y € L°: 
M,w <? Mw’ => (M,wE ¢ > M’,w’ £ y)] and a converse of this, called 
characterization [for ally € L°(M,w Ey => M',u’ Ey) = Mw <* M’,w’). 
We are now able to propose alternative approaches to minimality: 


(1) Formula y has a <“-least verifying S-state (i.e. there exists a state (M, w) 
verifying S such that M,w —/ Oay and for all states (M’, w’) verifying S: 
M',w' —F Coy > M,w <* M’,w’). 

(2) Formula y has an £°-smallest S-m.c. expansion (i.e. there exists a maximal 
S-consistent I such that y € I’ and for all S-m.c. A: py € AS IPNL* CA). 

(3) Formula y has S-DP with respect to £%, i.e. y is S-consistent and for every 
1, We2,.-- Up E LY: pls (Ui V+: Vee) => for somei<k: pts yy. 


Theorem 1. Let £° be a characteristic persistent sublanguage of L with respect 
to <*. Then the minimal information equivalences hold for L° and <"%, «e., 
the conditions (1), (2) and (3) above are equivalent. More specifically, given 
the condition, y is a-honest with respect to <* and § iff (all statements are 
equivalent): 


— Day has a <°*-least S-state 
— Day has an £L°-smallest S-m.c. expansion 
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— yp has a OF £L%-smallest a-stable expansion 
— Oay has S-DP over L°. 


Here, » is a-stable if & = O7 I for some S-m.c. I’, and » is a stable expansion 
of w if 7 is stable and w € XY. Linking some of these criteria, we can say that 
y is (a-)honest if true in some world (w) in an appropriate model (M) where 
part of the knowledge in that world is minimal (since then O7 Th(M, w) is its 
_ £°-smallest stable expansion), which seems a fairly intuitive notion. When 
the equivalent notions of Theorem 1 hold for a particular order <*, system S 
and language £°, we say that <* and £L° determine a notion of honesty in S. We 
can also link up the semantic definition of honesty with deduction, providing a 
perhaps even more intuitive characterization:! 


Corollary 1. Let £L° be persistent and characterizing for <*. Then y is a-honest 
with respect to <* and § iff there is an S-state (M,w) such that: 


M,wE Gap andWW E€L°: MywKew apks w 
— or, equivalently, Vy € L°: M,w ew apts w 


All this makes clear that we ‘just’ have to specify which part of the knowledge 
is involved. More formally speaking, we have to pinpoint the right information 
order <“, or, equivalently, its characterizing persistent sublanguage £°. This, 
however, is a non-trivial problem, since surely not every information order has 
such a characterizing persistent sublanguage. For example, if <° is mere iden- 
tity or even isomorphism of models, not even the entire language suffices to 
characterize the model (up to isomorphism). Also, pursuing our results for the 
single-agent approach, we know that unlimited bisimulation is too strong a re- 
quirement, vide [6]. As we showed in our earlier paper, a layered, limited kind 
of bisimulation is preferable. Two technically correct orders in the single agent 
case will be generalized in the next subsections. Although the initial, so-called 
general information order is not intuitively sound, it serves as a first step to more 
profound information orders. But we start by generalizing an umbrella result for 
such layered pre-orders. 


3.1 Layered Information Orders 


An information order and its characterizing persistent language can be obtained 
along fairly general patterns from the underlying layered orders and their char- 
acterizing persistent languages. This is a very convenient tool for many orders 
to follow, since we can restrict attention to one simple layer at the time. 

Suppose <% is a pre-order on the set of model-world pairs for each natu- 
ral number n (‘layer n’). From now on, assuming M = (W,R,V) and M’ = 
(W', R’, V’), the base case will be defined as M,w <§ M’,w’ = V(w) = V'(w’). 
Then we define <° for any layered order <% by: 


M,w <* Mw’ SYn€IN W' ER) [w’] ave Ralw] : M,u <2 M’, 0’. 


' This characterization was triggered by a question of Arnis Vilks. 
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We say that <* is induced by <% if the above equivalence holds. Finally, let £° 
be a sublanguage and Lon) = L°O Ln) be its subset of formulas of modal depth 
up to n. The following Lemma explains how a persistence and characterization 
result for languages with finite depth and layered orders can be lifted to the full 
language and the induced order. Lemma 1 will be implicitly used throughout 
the paper. 


Lemma 1 (Collecting). Jf Lon) is persistent and characterizing for <“, and 
L° is closed under V, then O,L£° is persistent and characterizing for <*. 


We will now inspect orders inspired by Ehrenfeucht-Fraissé games (see, for ex- 
ample, [1,4]). 


3.2. The Multi-modal General Information Order 


In the first Ehrenfeucht-Fraissé order the underlying, layered order is in fact 
an equivalence relation (“EF-equivalence” ). Define ~¥! recursively (recall that 


M,w ~o M’,w' & V(w) = V"(w’)) ? by: Myw engi M’,w" iff 


— Mywr, M',w' & 
— WE AV’ €Ri[w’] due Ri[w] : Mv &n M',v' (back) & 
— Vie AVE R;[w] do’ € Ri[w’] : Mv &n M',v"' (forth) 


Then the general information order LC® is induced by ~,. By a rather straight- 
forward induction, one shows that Lon) is characteristic and persistent for ~, 
and hence the collecting lemma gives that O,£ is persistent and characterizing 
with respect to E%. So, the information equivalences hold for E® and O,£. We 
say that y is generally a-honest if O,y has a C*-least model. This implies the 
usual equivalences, i.e., E® and O,£ determine a notion of a-honesty in S, for 
any modal system S. 

However, as we noticed in [6], this notion of honesty is, though technically 
correct, intuitively a rather poor one. It also leads to excessive trivialization. In 
weak doxastic logics such as KDy, and KD4,y, all formulae y such that Ogy is 
consistent, are generally a-honest. For K,, and K4,n, we can go a step further: 
all formulas are honest, as Halpern [2] notices for the first system. 

In (relatively) strong logics, however, i.e. systems with some form of negative 
introspection (such as 5, B and G), there are virtually no honest formulas. 
Because then there surely are non-theorems O,y; such that  Ogy: V Oaye 
which leads to an easy violation of the Disjunction Property. For example, p is 
generally a-dishonest in S5,,: note that the formula O,0,7p V O,O,U pp is an 
instantiation of 4, so this formula is derivable from O,p in S5m, whereas neither 
of its disjuncts is. 

So, as in the unimodal case, not much is left. Among the epistemic logics 
only a few systems such as Tm and S4,m, survive. But even then E*% has coun- 
terintuitive effects: growth of information does not lead to less uncertainty, as it 
should be. 


? The superscript A is omitted whenever clear from context. 
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4 Generalizations of the Positive Order 


From the single agent case we know that only the positive information order 
is intuitively sound with respect to honesty. In a positive information order we 
merely want to preserve positive knowledge of one or more agents. In other 
words, we disregard negative knowledge, i.e. knowledge of not knowing. We, 
typically, encounter back simulation on the underlying layers, but usually no 
forth simulation, or only a restricted form of forth simulation. 

It is not a priori clear which notion of positive information order is involved. 
We will discuss several options in what follows, of which the last is the more 
general one, using both underlying layers from the general and from the so-called 
‘objective’ information order. We start by discussing a rather straightforward 
generalization from the single agent case. 


4.1 Positive Honesty 


The positive information order only preserves positive knowledge of agent of a. 
It is the most obvious generalization of one-agent positive honesty. The formulas 
of the characterizing language do not have negative occurrences of O,, and so, 
by definition, no ©, as well. Formally, let £*¢ consist of those y € £ for which y 
does not contain O, in the scope of 7. Formulas in £*® are called a-positive.? So, 
ap V 7Ooq, Ganp and Ogp A -7q are members of £LT*, but ~O,p and Ogp V Os 
are not. 

Now consider £° = O0,£7°. This is a correct generalization of the single agent 
positive language, which by itself is a generalization of the so-called objective 
one-agent formulas which suit S5. We will call the elements of O,£7* a-positive 
knowledge formulas. What is the corresponding <°? Essentially, the underlying 
order displays the back direction of the EF-equivalence for all agents, operating 
on a-positive formulas until subformulas are reached that are O,-free, where full 


EF-equivalence for all agents except a takes over. Then, M, w | M',w' iff: 


— Vi € AW’ € Ri[w"] due Ri[w] : M,v <t* M’,v' (back) 


Let the positive information order <**% be induced by <;f¢. Then Lin is charac- 


teristic and persistent for <;*, so the collecting lemma guarantees that 0,£7° is 
persistent and characterizing with respect to <**. Thus, we obtain the following. 


Theorem 2. The minimal information equivalences hold for <** and O,L4*. 


Now, ¢ is called positively a-honest if O,y has a <**-least model. 

Thus, we have that <t* and O,£+°% determine a notion of a-honesty in 
S, for any system S. So, the notion of positive honesty is technically sound, 
that is, there is a persistent language that characterizes the positive information 
order, and it seems a proper extension of the unimodal case. It avoids problems 


3 BNF-definitions of the languages considered are given at the end of this paper. 
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objective honesty encounters, such as one noticed by Halpern [2] for S5., (or, 
more precisely, extensions of KB4,,): suppose p is some fact totally unrelated to 
a formula y (for example, p may not occur in y), then Ogg + OgpVO,O»7O, Uap. 
It is clear, however, that each of the disjuncts itself does not follow from Ogy. 
Yet y may constitute innocent knowledge, e.g. Oyg. But for our notion of positive 
honesty, this counter-example to the DP test is avoided by the restriction that 
the disjuncts should be in the a-positive knowledge language; here, obviously, 
p70, Ogp ¢ LT. 

Yet we do not want to exclude other possible notions of honesty a priori, and 
therefore now turn to one studied earlier. 


4.2 Objective Honesty 


To make a different start in formalizing multi-agent positive honesty, we return 
to Halpern’s [2] definition of a-objective formulas and the notion of honesty con- 
nected to it. Halpern reserves the notion objective honesty for the two strong 
doxastic systems K45,, and KD45,,. This seems harmless for these two sys- 
tems. Our main concern is that developing a whole apparatus for just two modal 
systems, and again different ones for others, leads to an approach which lacks 
generality and in fact conceals much of the general pattern. In fact, in Halpern’s 
approach it is not clear why a-objective formulas might be suitable for the two 
systems mentioned. We think that we can in fact explain much of the reasons 
for its feasibility. 

The idea of a-objective knowledge is that agent a only has knowledge of 
information ‘outside’ of a, i.e. knowledge of facts and other agents’ knowledge. 
Such other agents’ knowledge may again involve a’s knowledge, but still counts 
as external for a. This is easily formalized when we start with the a-objective 
(that is, wide scope a-operator-free) formulas: let £~* consist of those y € L 
for which y does not contain wide scope Og. In other words, in an a-objective 
formula, every O, and ©, has to be in the scope of a Oy or ©, (b 4 a). Examples: 
ab V Opg, Oanp are not in £~*, but =Opp and O,(p V 7Oqq) are. 

So where does the agent a’s knowledge enter the story? Here she is: consider 
£° =0,£~°%. A formula is then called an a-objective knowledge formula if it is 
of the form Ogg with py € L~*. 

The corresponding Ehrenfeucht-Fraissé order <* can be obtained from the 
underlying layered order, which is again an equivalence relation. The recursive 
clause for ~;,° is the following: M,w ~){, M’,w’ iff 

— M,wr,* M’,w’ & 

— Vi £ av! € Ri [w"] Juve Ri[w] : M,v 27 M',0' (back) & 

— Vi £ ave R;[w] Ju’ € Ri [w'] : M,v x7! M',v' (forth) 


So, ~;,/', not only uses the general EF-equivalence relation on layer n, its overall 
formulation is close to that of the general information order, be it that it shares 
the exclusion of agent a with the positive information order. 

One can now prove that Lon) is characteristic and persistent for ~)°. Thus, if 


we define objective information order <~® to be induced by ~7%, the collecting 
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lemma guarantees that O,£~° is persistent and characterizing with respect to 
SS 


Theorem 3. The information equivalences hold for <~* and O,L~°. 


This again implies that <~* and O,£~% determine a notion of (objective) a- 
honesty in S, for any system S. 

As can been seen from the format of the a-objective formulas, agent a’s 
knowledge is not taken into account. For fully introspective this is unproblematic 
in the one-agent case: there one can show that positive knowledge formulas can 
be reduced to disjunctions of objective knowledge formulas, which implies that 
for each system containing K45, objective honesty amounts to positive honesty. 

It should be emphasized that this equivalence only holds for the one agent 
case and full introspective knowledge. For more agents there is no such reduction, 
since an objective knowledge formula need not be (equivalent to) a positive one, 
e.g. O,0,7Oap is an a-objective knowledge formula which is not related to any a- 
positive knowledge formula whatsoever. If we want to generalize this equivalence 
to fully introspective multi-agent systems, we have to relax the notion of positive 
formula somewhat, as will be done in the next subsection. 


4.3 Positive-Objective Honesty 


We want to generalize objective knowledge to what we consider to be a more 
adequate notion of multi-modal honesty. The a-positive-objective formulas can, 
roughly, be characterized as having no wide scope negative occurrence of Og 
operators. Again assume for simplicity’s sake that we only consider formulas 
where every ©; is replaced by =0;7. Let £**% consist of those y € £ for which 
every O, in y in the scope of — is also in the scope of a O; with i a. Thus, 
£=~ can also be regarded as the closure of £~° under the operations A, V and 
a. Examples: O,gp V Opg, Oap A 7g and O,0,70 gp are members of £*%, but 
—=O,gp and O,7O,7p V Obq are not. 

Once again, what is the corresponding <*? For evaluating formulas, we es- 
sentially want to have recursive back moves for agent a in the EF-order, until 
a-objective formulas are reached, and then proceed with the a-objective equiv- 
alence. So, more formally, the recursive step in <;;* is defined by M,w <7¢, 
M',w' iff: 


— M,w~,f1 Mw! & 
— Ve Ri [w’] due Ralw] : M,u <** M’,v' (back) 


Then the a-positive-objective information order <** is induced by <*°. 


Now consider £° = O,£**. Notice that £*+* extends both £T* and L~?, 
thus generalizes both the positive and the objective approach. Since Lin) is 


characteristic and persistent for <7, the collecting lemma shows that O0,£*° 


is persistent and characterizing for <**. Now y is called positive-objectively a- 
honest when O,y has a <*°-least model. 
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Theorem 4. The minimal information equivalences hold for <** and O,£L*°. 


This implies that <** and O,£+*° determine a notion of a-honesty in S. We 
can show that for fully introspective systems the extension from objective to 
positive-objective formulas is immaterial, since then again a’s positive-objective 
knowledge can be reduced to a-objective knowledge. So, objective honesty and 
positive-objective honesty coincide for K45,, and KD45,y,, and $5,,. Although 
positive, objective, and positive-objective honesty agree on (one agent) $5, they, 
surprisingly, do not on S5ym (m > 1). Since Ogp V p70 pap is dehivables in 
S5.m, there are virtually no (positive-)objectively honest formulas in this system. 
However, we have already seen that for S5, the positive information order 
seems correct. 


5 Relating and Evaluating Types of Honesty 


In the previous section we noticed that for fully introspective systems the differ- 
ent types of honesty may actually coincide, depending on the number of agents 
m. But before checking examples and assessing the intuitive correctness of these 
notions, some more general observations can be made. 

The types of honesty distinguished in this paper are ordered as indicated in 
Figure 1. This hierarchy easily follows from DP, using the fact that O,£7¢ U 
ak ae Cc al Cc ak. 


general honesty 


positive-objective honesty 


. 


positive honesty objective honesty 
Fig. 1. Relating notions of honesty 


This reduces the number of checks to be made for specific examples. In gen- 
eral, dishonesty can be shown fairly easily by using the relevant DP, but it may 
be harder to show honesty more or less directly. It is not prima facie clear how 
to prove honesty, since DP then has to be checked for an infinite set of formulas. 
Also, minimality of stable expansions encounters similar problems and finding 
the least model may be non-trivial, which is related to the complexity of the 
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information orders. Presumably, for many relevant multi-modal systems these 
intricate orders have simple counterparts. 


To assess the adequacy of the notions of honesty, we picked a number of 
examples and checked their (dis) honesty for the four types proposed, and for the 
modal systems S4, K45m, S5m (m > 1). In addition to hierarchy constraints 
and the observation about collapse, we already noticed that there are hardly any 
generally honest formulas for K45,, and S5yy. 


For the former system also inconsistent formulas are vacuously generally a- 
honest. Neither full information nor inconsistent information is of much interest 
here. Moreover, for S5ym we also noticed large (positive-)objective dishonesty. 
Therefore, the in some sense maximally honest formulas (characterizing inno- 
cent partial knowledge) display the left-hand pattern in Table 1 (‘pob’ denotes 
positive objective honesty, etc.). This pattern manifests itself in many formulas 
that are also intuitively honest for agent a: p, Oyp, .... The most challenging 
cases are disjunctions of (negated) knowledge formulas. As we will see, whether 
or not they are intuitively honest largely depends on the agency of the knowing 
subject. So, also the following formulas are indeed maximally a-honest: OppVObpq, 
aPV Cag, OopV Cag, FopV Ong, and pV q. The other extreme are the totally dis- 
honest formulas displaying the pattern on the right, exemplified by the paradigm 
ap V Ugg. 


Table 1. Patterns of maximal (left) and minimal (right) honesty 


S4m K45m S5m S4m K45m S5m 
gen| + - - gen| - - - 
pob| + + - pob| - - - 
obj| + + - obj| - - - 
pos| + + + pos| - = = 


There are many (34) intermediate cases. A very common pattern here is the 
one in which honesty only depends on the amount of introspection attributed 
to the agents, witnessed by the pattern on the left below. Examples of formulas 
with this honesty pattern (displayed in Table 2, left) are O,p V Opg, Gap V Ong, 
and O,pVq. Also, honesty may depend on the type and not on the modal systems 
under inspection, as with the formula Ogp V O,0)0aq, showing the pattern on 
the right in Table 2. 


Finally, two more complicated patterns can be obtained by the formulas 
ab V Oa aq (on the left) and Gap V O,OaUag (right) in Table 3. 

The tentative conclusion from inspecting these examples is that positive hon- 
esty seems to be the intuitively correct notion for multi-modal systems. 
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Table 2. Introspection (left) and type (right) dependent honesty patterns 


S4m K45m S5m S4m K45m S5m 
gen| + - - gen| - - - 
pob| + - - pob| - - - 
obj| + - - obj| - - - 
pos| + - - pos| + + + 


gen| - - - gen| - - - 
pob}| + + - pob| + - - 
obj| + + - obj| + - - 
pos| + + + pos| + - 2 


6 Conclusion 


We have given generalizations of information orders for multi-agent only know- 
ing, which apply to arbitrary modal systems and ordinary Kripke models. Using 
a general theorem relating information orders and their corresponding (sub-) 
languages, we were able to identify several equivalent characterizations of hon- 
esty. In particular, we have explored the general information order and some 
positive and objective information orders. So-called positive honesty seems the 
intuitively correct notion here. 

An interesting question for future research concerns the transfer of techniques 
developed for the single agent case to multi-modal systems. For example, one 
might try to adapt the amalgamation techniques as used in [6] to prove, by 
means of the disjunction property, honesty in S4 and weaker systems. It is also 
interesting to generalize the test procedure as proposed and proved correct in 
[2] for objective honesty to other types of honesty. 

There are many ways to extend the multi-agent perspective on only knowing. 
For instance, one might give up the assumption that all agents use the same 
logic and move to heterogeneous systems. Also, a notion of group honesty is 
as yet unexplored. Finally, we like to investigate multi-agent honesty from a 
more constructive perspective: can we give a procedure to generate a minimal 
model for a given formula? And, can we extend the partial approach of [5] to 
the multi-agent case? 


References 


1. H.-D. Ebbinghaus & J. Flum, Finite model theory, Springer-Verlag, Berlin, 1995. 
2. J.Y. Halpern, ‘Theory of Knowledge and Ignorance for Many Agents’, in Journal 
of Logic and Computation, 7 No. 1, pp. 79-108, 1997. 


10. 


11. 


A General Approach to Multi-agent Minimal Knowledge 267 


J.Y. Halpern & Y. Moses, ‘Towards a theory of knowledge and ignorance’, in Kr. 
Apt (ed.) Logics and Models of Concurrent Systems, Springer-Verlag, Berlin, 1985. 
M. Hennessy & R.Milner, ‘Algebraic laws for Nondeterminism and Concurrency’, 
Journal of the ACM 32, pp.137-161, 1985. 

W. van der Hoek, J.O.M. Jaspars, & E.G.C. Thijsse, ‘Honesty in Partial Logic’. 
Studia Logica, 56 (3), 323-360, 1996. Extended abstract in proceedings of KR’94. 
W. van der Hoek, J.O.M. Jaspars, & E.G.C. Thijsse, ‘Persistence and Minimality 
in Epistemic Logic’, Annals of Mathematics and Artificial Intelligence, 27 (1999), 
pp. 25-47, 2000. Extended abstract in J. Dix, U. Furbach, L. Farinas del Cerro 
(eds.), Logics in Artificial Intelligence. Proceedings JELIA’98, Springer Verlag, 
LNAI 1489. 

G.Lakemeyer, ‘All they know: a study in multi-agent auto epistemic reasoning’, 
IJCAI’93, pp. 376-381, 1993 

H.J. Levesque, ‘All I know: a study in auto-epistemic logic’, in Artificial Intelli- 
gence, 42(3), pp. 263-309, 1990. 

G. Schwarz & M. Truszczyriski, ‘Minimal knowledge problem: a new approach’, 
Artificial Intelligence 67, pp. 113-141, 1994. 

R. Parikh, ‘Monotonic and nonmonotonic logics of knowledge’, Fundamenta Infor- 
maticae 15, pp. 255-274, 1991 

M. Vardi, ‘A model-theoretic analysis of monotonic knowledge’, IJCAI85, pp. 509— 
512, 1985. 


268 Wiebe van der Hoek, Jan Jaspars, and Elias Thijsse 
Appendix: Defining Languages 


Here we give explicit BNF definitions of the (sub)languages considered in this 
paper. Before doing that we summarize the languages in Table 4: 


Table 4. Symbols, names and informal descriptions of languages 


Name Language Condition 
L=L% full, general no restriction 
L-° — a-objective only O, in scope Oiza 
LT* — a-positive no O, in scope of = 
L** — a-positive-objective Oa only in scope — if in scope Ojza 


The languages are now defined by the following BNF expressions: 
Table 5. Languages and their BNFs 


Name BNF definition 

LA gp z= p(pEP)| | VAy| Diy GE A) 

Lo“ po s= p (PEP) | 0 | Go A po | Div (6 € A— {a}) 
Lie yr u= yp (pe Lae) lyi Agi | gi V ¢1 | Ogi (¢ € A) 
Le* yo 2= po | p2N v2 | 2 V $2 | Daye 
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Abstract. In this paper, we present a logical framework that combines modality 
with a first-order quantification mechanism. The logic differs from standard first- 
order modal logics in that quantification is not performed inside the states of a 
model, but the states in the model themselves constitute the domain of quantifi- 
cation. The locality principle of modal logic is preserved via the requirement that 
in each state, the domain of quantification is restricted to a subset of the entire set 
of states in the model. We show that the language is semantically characterised 
by a generalisation of classical bisimulation, called history-based bisimulation, 
consider its decidability and study the application of the logic to describe and 
reason about the topologies of multi-agent systems. 


1 Introduction 


Over the last years an increasing interest can be observed in large-scale distributed com- 
puting systems that consist of heterogeneous populations of interacting entities. Exam- 
ples from practice include for instance the electronic market places in which buyers and 
sellers come together to trade goods. This trend can also be observed in the fields of 
computer science and artificial intelligence with the current focus on multi-agent sys- 
tems [14]. In these systems, an agent constitutes an autonomous entity that is capable 
of perceiving and acting in its environment and additionally has a social ability to com- 
municate with other agents in the system. In heterogeneous multi-agent systems, the 
agents are assumed to be of different plumage, each having their individual expertise 
and capabilities. Moreover, in open multi-agent systems, new agents can be dynami- 
cally integrated [5]. 

One of the issues in open heterogeneous multi-agent systems is the agent location 
problem, which denotes the difficulty of finding agents in large populations [13]. For 
instance, given an agent that needs to accomplish a particular task that it is incapable of 
performing all by itself, the problem amounts to finding an agent that has the expertise 
and capabilities to join in this task. In these systems, it is typically impossible for the 
individual agents to maintain a complete list of the agents that are present. That is, each 
of the agents has a list of other agents that it knows of, but due to the dynamics of 
the system this list is normally not exhaustive. Hence, the agent needs to communicate 
with the other agents in the system in order to come to know about new agents that it is 
currently not aware of to exist. This enables the agent to extend its individual circle of 
acquaintances. 
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© Springer-Verlag Berlin Heidelberg 2000 


270 Rogier M. van Eijk et al. 


The purpose of this paper is to develop a formal logic to describe and reason about 
network topologies, like for instance the topology of multi-agent systems. Formally, 
such a network topology can be represented by a directed graph where the nodes in the 
graph denote the entities in the system and the edges make up the acquaintance relation, 
describing what entitites know each other. Seen from a logical point of view, these 
graphs constitute Kripke frames, which are employed in the semantics of modal logic 
[11]. This observation naturally leads to an approach of describing network topologies 
by means of modal logic, which is corroborated by the fact that we want to describe and 
reason about network topologies with respect to a local perspective, that is, from the 
viewpoint of a particular entity in the topology. Basic modal logic however is not fit to 
describe and reason about network topologies, as it does not have the expressive power 
to distinguish between bisimilar structures, like for instance loops and their unfoldings, 
which clearly induce different network topologies. 

In this paper, we present an extension of the basic modal logic with variables and 
a first-order quantification that complies with the locality principle of modal logic. It 
differs from the standard first-order modal logics [6] in that there is no quantification 
inside the states of a model. Instead, the states in the model themselves constitute the 
domain of quantification; i.e., the logic covers a mechanism of binding variables to 
states in a model. Such variable binding mechanisms are also gaining attention in the 
field of hybrid languages, which are languages originally developed with the objective 
to increase the expressiveness of tense logics [4]. Our framework can be viewed upon 
as a formalisation of hybrid languages in terms of an equational theory in which we 
can reason about the equalities (and inequalities) of states of a model. We preserve the 
locality principle of modal logic via the requirement that in each state the domain of 
quantification is restricted to a subset of the entire set of states in the model. 

Moreover, we define a semantic characterisation of the logic, which is based on a 
generalisation of the classical notion of bisimulation equivalence. Instead of relating 
states, this generalised type of bisimulation relates tuples that are comprised of a state 
together with a sequence of states. In the semantic characterisation, these additional 
sequences are employed to represent variable bindings that are generated during the 
evaluation of formulae. 

The remainder of this paper is organised as follows. In Section 2, we start with con- 
sidering basic modal logic and graded modal logic, and argue that these are not well-fit 
as logics for network topologies. In Section 3, we develop the syntax and semantics of a 
general modal logic with an implicit bounded quantification mechanism. Subsequently, 
in Section 4, we establish a semantic characterisation of the logic, while the decidability 
of the logic is discussed in Section 5. Additionally, in Section 6 we consider the appli- 
cation of the logic to describe and reason about the topologies of multi-agent systems. 
Finally, we wrap up in Section 7 where we provide some directions for future research. 


2 Towards a Logic for Network Topologies 


The most straightforward logic to describe and reason about network topologies is stan- 
dard first-order logic. However, rather than taking the bird’s-eye perspective, our aim is 
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to reason about network topologies from a local point of view. The following example 
explains the difference between these two perspectives. 


Example 1 (Local point of view) 

Consider an agent w that knows two agents v; and v2, which each in turn, know one 
other agent. The structures M and N in Figure 1 constitute two of the possible situ- 
ations. In situation M, the two acquaintances of the acquaintances of w are distinct, 


U1 U1 


ee se ee es 
Ww a og ee 


v2 


N 


Fig. 1. Network topologies with indirect acquaintances 


while in V these two acquaintances are one and the same agent. From an external point 
of view these two structures are clearly distinct. However, what if we consider them 
from the local perspective of w? The crucial observation here is that whereas v; and v2 
are among the agents that are known by w, the agents wu; and uz are not. Consequently, 
as w does not know the identity of either uw; and ug, it cannot decide whether they 
are the same or distinct. In other words, as far as w is concerned, the actual situation 
could be the one depicted by M as well as the one depicted by \V. However, standard 
first-order logic can obviously distinguish between these two situations. 


Our purpose is to develop a (fragment of first-order) logic that is fit to reason about 
network topologies from a local perspective. 


2.1. Basic Modal Logic 


Languages that are designed to describe and reason about relational structures from a 
local perspective, are the languages of modal logic. The basic modal language can be 
defined as follows. 


Definition 2 (Basic modal language Lo) 
Formulae ¢ in the language Lo are generated using the following BNF-grammar: 


pr=T | piAge | 7y | Og. 


A modal formula is either equal to T, the conjunction of two modal formulae, the 
negation of a modal formula, or the operator > followed by a modal formula. It is the 
operator © that gives the language the modal flavour; it has various readings like for 
instance the interpretation of expressing possibility. The dual U of this operator, which 
is defined as —0-, can be thought of denoting necessity. Finally, we assume the usual 
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abbreviations | for =T, 1 V ~2 for =(>y1 A 7y2) and yi > Ye for my V Ye. Note 
that we do not consider propositional variables here. 

The basic modal logic is used to reason about relational structures, especially about 
relational structures that are referred to as Kripke structures. 


Definition 3 (Kripke structures) 
A structure for the language Lo, which is also called a Kripke structure, is a tuple of the 
form: 


M = (W,r), 


where W constitutes the domain of the structure, which elements are referred to as 
states, nodes, worlds or agents, andr C W x W denotes an accessibility relation on W. 
For each state w € W we use the notation r(w) to denote the set {u € W | r(w, u)}. 


The interpretation of modal formulae is given in the following truth definition. 


Definition 4 (Truth definition for Lo) 
Given a structure M = (W,r), a state w € W and a formula » © Lo, the truth 
definition M,w — ¢ is given by: 


M,w = T 

M,wFE gidv &M,w EF ¢ andM,wE ¢e2 
M,w —- 7 oe M,wKk oy 

M,w Ey dv er(w):MveEy 


Additionally, we have M = vy if for all w € W it holds that M,w F y. 


Kripke structures can be viewed upon as representing network topologies: the elements 
of W constitute the nodes in the network and the relation r defines the accessibility 
relation; e.g., 7(w, uw) denotes that w has access to u, or that u is an acquaintance of w, 
or that w knows u, or that w can communicate to u, and so on. The modal logic Lo can 
then be used to describe these topologies. For instance, the formula (4 T expresses that 
there exists an acquaintance of an acquaintance. That is, M,w F: QOT holds in case 
there exist v and u such that r(w,v) and r(v,u). The basic language Lo is however 
not rich enough for adequate descriptions of network topologies. Consider for instance 
the two structures M and A in Figure 2. In the structure M, there is an agent that 


e@ Wi 


M we ve ——e et N 


e W2 


Fig. 2. Different number of direct acquaintances 


knows two different agents, while in the structure \V only one agent is known. From 
the perspectives of w and v these two structures clearly denote distinct situations, as we 
assume that agents know the identities of their acquaintances and hence, can distinguish 
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between the situation that their circle of acquaintances is comprised of two agents from 
the situation that this circle consists of only one agent. However, the basic language Lo 
lacks the expressive power to distinguish between both networks; i.e., there does not 
exist a formula y € Lo with M, w — y and N,v K y. Formally, this follows from the 
fact that these structures are bisimilar. 


2.2 Graded Modal Logic 


Graded modal logic is an extension of the basic modal language that deals with numbers 
of successors [10]. Rather than one modal operator ¢ the graded language contains 
a set {O, | n > 0} of operators. A formula of the form 0, expresses that there 
exist more than n accessible worlds in which vy holds. Hence, graded modal logic can 
distinguish between the above models M and NV. For instance, we have M,w — 01 T 
but N,v A OiT. 

Graded modal languages are still not suitable to describe network topologies. For 
instance, consider the two structures M and NV in Figure 3, which denote a loop and 
its unfolding, respectively. In M, there is an agent that knows only itself, whereas in 


Fig. 3. Loop and its unfolding 


N there is an agent that knows another agent that knows another agent that knows yet 
another agent ... and so on. However, whereas we believe that an adequate logic for 
network topology should be able to distinguish between these two structures, it can be 
shown that graded modal logic does not possess the expressive power. 


3. Modal Logic with Bounded Quantification 


Our analysis of the reason why basic modal logic and its extension with graded modal- 
ities are not adequate to describe network topologies, is that they lack a mechanism of 
dealing with identities. For instance, if we reconsider the structure M/ from Figure 2, 
then although v; and v2 have no distinguishable property that is expressible in the lan- 
guage Lo, there is one significant intrinsic difference between them and that is their 
identity; i.e., they are two distinct states in the topology. 

Our approach in developing a logic for network topologies therefore consists in 
extending the basic modal logic with a mechanism of dealing with state identity. That 
is, the language £o is expanded with a collection Var of variables that are used as state 
identifiers. In order to be able to instantiate these variables we additionally introduce a 
form of implicit bounded quantification. We refer to this language as £1. 
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Definition 5 (The extended modal language L ) 
Given a set Var of variables, terms t and formulae y are generated using the following 
BNF-grammar: 

ti:= self | x 


8 


pus (t1=te) | pidge | 7p | Ow | Azy, 


where « ranges over the variables of Var. 


We assume the usual abbreviation Vy for ~dx-y. The formula T can be modelled as 
the formula self = self. A formula ¢ is called a sentence if it contains no free variables, 
i.e., all variables x in y occur in the scope of a quantifier dz. 

The language £, extends the language Lo with variables to denote the identities of 
states; there is additionally a special constant self that always denotes the current state. 
An atomic formula is of the form ¢; = t2, expressing that two terms denote the same 
state. Additionally, a formula of the form 4x expresses that there exists a state (which 
is denoted by x) for which y holds. 

Although the syntax of the language £, closely resembles the syntax of first-order 
modal logic [6], there is a fundamental difference in the semantics of both languages. 
In first-order modal logic, quantification is performed inside the states of a model. That 
is, each state constitutes a model in itself as it contains a domain over which the ex- 
istential quantifier 4 can quantify. However, in the present logic, the states of a model 
themselves constitute the domain of quantification. Moreover, there is a second funda- 
mental difference, namely in the range of quantification. Whereas in first-order modal 
logic, the existential quantifier ranges over the entire domain, in our logic it is restricted 
to range over a subdomain, namely over the states that are directly reachable via the ac- 
cessible relation. The ratio behind this is that for instance in the setting of multi-agent 
topologies, the accessible agents are precisely the agent whose identities are known. 
Moreover, it gives rise to a form of implicit bounded quantification that complies with 
the local character of modal logic: like one is not allowed to go from one state to an ar- 
bitrary state, only to an accessible state, one cannot instantiate variables with arbitrary 
states but only with states that are accessible. 

To obtain a framework that is as general as possible (and that perhaps can be ap- 
plied to other areas besides network topologies), we explicitly distinguish between the 
accessibility relation and the domains of quantification. That is, we introduce the notion 
of a neighbourhood relation which defines for each state the collection of states over 
which can be quantified in this state. 


Definition 6 (Structures for the language £1) 
A structure for £; is a tuple that is of the form: 


M = (W,r,n), 


where W constitutes the domain of the structure, r C W x W denotes an accessibility 
relation on W andn C W x W denotes a neighbourhood relation on W. For each 
state w € W, we use n(w) to denote the set {u €¢ W | n(w,u)} of states in the 
neighbourhood. 
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A network topology is then a special type of structure, namely a structure (W, 1, n) that 
satisfies n = r and additionally w € n(w), for all w € W. Thus, network topologies 
are structures in which the neighbourhood relation coincides with the accessibility re- 
lation and each state is part of its own neighbourhood (and thus also accessible from 
itself). The rationale behind the latter requirement is that we assume that each agent in 
a network knows itself (cf. [8]). 

In order to interpret formulae from the language £1, we need to extend the truth 
definition of £; with a mechanism of interpreting variables. We achieve this via the 
standard notion of an assignment function. 


Definition 7 (Assignment function) 

Given a structure M = (W,r,n) an assignment function f is a partial function of type 
Var — W with finite domain, which maps variables to states in the structure. The 
set (W) consists of all assignment functions over W. The empty assignment function, 
which is undefined for all inputs, is denoted by (). Moreover, given an assignment f, a 
state w € W and a variable x € Var, we define the variant f[x +> wi] of f to be the 
function defined by: 

w ify=2 

f(y) otherwise 


fe ult) = { 
where = stands for syntactic equality. 


The interpretation of terms and formulae in the language £, are given via the following 
truth definition. 


Definition 8 (Truth definition for £1) 
Given a structure M = (W,r,n), a state w € W, and an assignment f : Var > W, 
we define the interpretation of terms ¢ in £; as follows: 


fw ift= self 
Fw,g) = ee otherwise 


The truth definition M, w, f — ¢ is given by: 


M,w, fF (t1 = te) + Iw,¢(ti) = Lu, (ta) 

Mu, fF pid ya & M,u,f — ¢1 and M,w, f — ye 
M,w, fF 79 @&M,u,f FY 
M,w,fE ye &dver(w):M,u,fEY 
M,w,f - Are & dv en(w): M,u, flare vi EY 


Additionally, we have M,w - vy if for all assignments f it holds that M,w, f = 
Finally, we have M § vy if for all w € W it holds that M,w E y. 


S 


Note the difference in the truth definition between the operators and 4 with respect to 
the point of evaluation: in the truth definition of the former operator there is a shift in 
perspective, viz. from w to v, whereas in the latter, the point of view w remains fixed. In 
other words, 4 quantifies over the current neighbourhood while the operator > is used 
to change the current scope of quantification. Additionally, note that the constant self 
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constitutes a non-rigid designator [6] in the sense that its denotation differs among the 
states in a structure; in particular, in each state the denotation of this designator is the 
state itself. 

We could say that the logic £; exhibits a separation between the mechanisms of 
structure traversal and variable instantiation; that is, the operator > is used to make 
shifts of perspective along the accessibility relation, while the operator 5 is employed to 
instantiate variables with states in the neighbourhood. The general set up of the semantic 
framework enables us to consider modality and quantification in isolation as well as to 
explore their interplay. For instance, we are in the position to examine to what extent the 
language £; can express connections between the accessibility and the neighbourhood 
relation: e.g., it can express the property that the neighbourhood relation is a subrelation 
of the accessibility relation. That is, for all structures M = (W,r,n) and states w © W 
the following holds: M,w - Vr0(a = self) <= n(w) C r(w). Secondly, this does 
not hold the other way around; in Corollary 16, we state that there does not exist a 
formula that expresses r(w) C n(w), for all w. However, a straightforward refinement 
of the language would be an extension with the inverse operator of 4, which has a 
natural interpretation in the context of network topologies, as it denotes the is-known- 
by relation. The interpretation of this operator, which we denote by )~, is as follows: 


M,w,f EO 'y & qu: w €n(v) and M,v, f EK 9. 


Given a structure M = (W,r,n), for which we assume w € n(w), for all w € W, the 
following holds. For all states w € W: 


M,w - Iax(x = self AO(Gy(y = self \O7' (x = self A dz(z = y))))) 
> 
r(w) C n(w). 


To obtain some further familiarity with the language £1, let us consider several proper- 
ties of network topologies that we can express with it. 


Example 9 


— First of all, the formula 32(a = self), which can be thought of expressing “know- 
ing yourself”, is valid in any network topology. 

— Secondly, the formula Ja(a = self A OOa = self) is true in a state in case all 
accessible states have in turn access to this state. In other words, it expresses “ev- 
eryone that I know, knows me”. 

— Additionally, the formula dry(7(2 = y) A O(a = self A aOy = self) A O(y = 
self \ ~Qx = self)) is true in a particular state, in case there are two distinct 
accessible states that are not accessible to one another. Informally, it can be thought 
of as expressing “I know two agents that do not know each other’. 

— Finally, we illustrate that quantification does not commute with modality. Consider 
the formula JeO(x = self), which is true in a state in case there is exactly one 
accessible state, and as in network topologies the accessibility relation is reflexive, 
can be thought of expressing “I know of only myself”. On the other hand, the 
formula DAx(2 = self), which can be thought of expressing “everyone that I 
know, knows itself’, is valid in any network topology. 
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In this section, we study the expressiveness of the extended modal language L£,. In 
particular, we address the issue what properties the language can express and what 
properties are beyond its expressive power. The central restult of this study is a semantic 
characterisation of the language, which amounts to the identification of the conditions 
under which two structures satisfy precisely the same formulae of Ly. 

For the basic modal language Lo the semantic characterisation is given by the the 
notion of a bisimulation [3,9]. That is, two structures satisfy the same modal formulae 
from Lo if and only if they are related by a bisimulation.' The language £; combines 
the standard modal logic Lo with a bounded quantification mechanism. In order to deal 
with variable instantiation we employ the notion of an injective sequence. 


Definition 10 (Sequences) 


— Given a set W of states, a sequence w = [w1---w,]| over W is called injective 
if w; = w; impliesi = 7, for alll < i,7 <n. We employ the notation [W] to 
denote the set of all injective sequences over W. Additionally, for all U C W, we 
say w € U \ w incase w is an element of U but does not occur in w. We use the 
notation w; to denote the i-th element of w. Finally, |] denotes the empty sequence. 

— The operator e : [W] x W — [W] appends states to sequences of states; i.e., 
[w1--: Wp] ew = [w1--- w,w), provided that w does not occur in [wy - ++ wy]. 


Injective sequences can be thought of as abstractions of assignment functions, which 
just contain that information that is needed in the semantic characterisation. That is, 
each assignment function f : Var — W, which we assume to be of finite range, can 
be represented by an injective sequence consisting of the elements in the range of f in 
some particular order. This representation thus abstracts from the particular domain of 
the function f. 

We are now in the position to define the notion of a history-based bisimulation, 
which extends the notion of a bisimulation with a mechanism that handles bounded 
quantifications. For technical convenience only, we assume that the variables in formu- 
lae are bound only once.” That is, we do not consider formulae of the form Ja(yAAaw). 
This is not a real restriction as we can always take an alphabetic variant of these formu- 
lae: Sa(y A Ay(¢[y/z])) where y is a fresh variable, which is logically equivalent. 


Definition 11 (History-based bisimulation) 
Given the models M = (W,r™, n™) and N = (U,r ,n), a relation 


ZC (W x [W]) x (U x [U]) 
is called a history-based bisimulation, if (w,w)Z(u, u) implies the following: 


' Properly, this is not true; one has to assume the image finiteness property or to consider ultra- 
filter extensions. 

? This simplifies the condition (n-bisim) in Definition 11, as it allows us to restrict to extensions 
of sequences rather having to account for removals of states as well. 
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(self) w = w; iff u = uj; 

(var) wi € n™(w) iff uy € nr (u) 

(r-bisim) if w’ € r™(w) then Su’ € r\ (u) with (w’, w)Z(u', u) 

(n-bisim) if w’ € n™(w) \ w then Su’ € rn (u) \ u with (w, w ew’) Z(u, ue’) 


and vice versa for (r-bisim) and (n-bisim), where the roles of (w,w) and (u, u) are 
interchanged. Additionally, we define wZu to hold in case (w, []) Z(u, []). 


Example 12 (History-based bisimulation) 

To illustrate the notion of a history-based bisimulation, let us return to the structures 
M and N depicted in figure 3, where we assume that the neighbourhood relation coin- 
cides with the accessibility relation. The language £; distinguishes between these two 
structures, consider for instance the formula dz(a = self). 

We argue that there does not exist a history-based bisimulation Z with wZv,. For 
suppose that such a relation exists then (w, [])Z(v1, []) and condition n-bisim requires 
(w, [w])Z (v1, [v2]) and subsequently by r-bisim we obtain (w, [w]) Z(ve, [v2]). How- 
ever, this is in contradiction with condition var as w € n(w) while v2 ¢ n(v2). Hence, 
we conclude that such a relation Z does not exist. 

This simple case shows why the bisimulation is called history-based: the sequences 
[w] and [v2] represent histories of states that have been encountered in neighbourhoods 
while traversing the structures M and NV along their accessibility relation. If the ele- 
ments of these sequences are encountered again, that is, are in the neighbourhood of the 
present state w in M, this should be mimicked in N, that is, are in the neighbourhood 
of the present state v2. 


If we restrict ourselves to finite structures, the notion of a history-based bisimulation is 
decidable. Note that it is crucial here that injective sequences do not contain repetitions 
of states. 


Observation 13 (Decidability of history-based bisimulation) 
Given structures M and NV with finite domains, for all states w € M and u € N, it is 
decidable whether there exists a history-based bisimulation Z with wZu. 


It is worth remarking here that the notion of a history-based bisimulation is quite differ- 
ent from the notion of a history-preserving bisimulation [7]. The latter is a very strong 
notion saying that two states are history-preserving bisimilar in case they are related by 
a bisimulation and additionally, the respective substructures consisting of the states that 
can reach the state via the accessibility relation, are isomorphic. 

Before we phrase the semantic characterisation of the language £, in theorem 15, 
we define the notion of an image finite state. 


Definition 14 (/mage-finiteness) 

Given a structure M = (5, r,) we let r* denote the reflexive, transitive closure of r. 
A state w € S is called r-image finite if r(v) is finite for all v with (w,v) € r*, and is 
called n-image finite if n(v) is finite for all v with (w, v) € r*. Moreover, w is called 
image finite if it is both r-image finite and n-image finite. 
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Properly, we do not need the assumption of image-finiteness, as analogous to the proof 
of the semantic characterisation of standard modal logic, we could use ultrafilter exten- 
sions [3]. However, for the sake of simplicity we adopt this property here. 


Theorem 15 (Semantic characterisation) 
Given two structures M and N, for all states w from M and u from NV the following 
holds: 


(i) if wZu for some history-based bisimulation Z then for all sentences y € Li we 
have M,wE yp eoN,ue-y 

(iz) if w,u are image finite and M,w EF »p & N,u FE ¢ for all sentences y € Li, 
then wZu for some history-based bisimulation Z. 


Because of space limitations, we do not give a proof of this non-trivial result. Instead, 
we consider some applications of the result. First of all, consider the models M and 
N from Figure 1, where we assume that the accessibility relation and the neighbour- 
hood relation coincide. The language £, cannot distinguish between these models. This 
follows from the fact that there exists a history-based bisimulation between M, w and 
N, w. Secondly, the language £; cannot express the property that the accessibility re- 
lation is contained in the neighbourhood relation, as stated in the following result. 


Corollary 16 There does not exist a formula y € L£; such that for all structures M = 
(W,r,n) and states w € W wehave: M,wE yp © r(w) C n(w). 


5 Decidability 


In this section, we discuss the decidability of the language £,. 


5.1 The Guarded Fragment 


In this section, we examine the connection of our logic with the guarded fragment of 
first-order logic [1]. This logic, which satisfies the property of being decidable, consists 
of first-order formulae that are build from arbitrary atoms, boolean operators and finally, 
quantifications of the following format: 


dy(Ryx A (x, y)), 


where R is a particular predicate and y and x are sequences of variables. The semantic 
characterisation of the guarded fragment is defined in terms of a guarded bisimulation. 
That is, any formula w is equivalent to a formula in the guarded fragment if and only if 
qw is invariant for guarded bisimulations. This notion is defined below. 


Definition 17 A guarded bisimulation between two models M and N is a non-empty 
set F' of finite partial isomorphisms that satisfies the following conditions. For all f : 
X — Y in F, we have 


— for all guarded sets Z in M there exists g in F' with domain Z such that g and f 
agree on X 1 Z 
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— for all guarded sets W in NV there exists g in F with range W such that g~* and 


f—1 agreeon Y NW 


where a set V is called guarded in a model in case there exist aj,...,@,, (with rep- 
etitions, possibly) such that V = {a1,...,a,} and for some relation R we have that 
R(a1,...,@n) is true in the model. 


We argue that £; does not fall inside the guarded fragment. Consider the two struc- 
tures M and N in Figure 2. The set F’ consisting of the partial isomorphisms {w +> 
v,w1 + vu, } and {wt v, we + v;} constitutes a guarded bisimulation between M 
and NV. Hence, there is no formula in the guarded fragment that distinguishes between 
these two structures. However, in our language £, there is for instance the formula 
w = (Ardy(-2 = y)) with M,w — a and N,u & w. So, w € Ly is not invariant 
for guarded bisimulations and therefore is not equivalent to a formula in the guarded 
fragment. So, we establish the following result. 


Observation 18 (Relation with guarded fragment) 
The language £; is not contained in the guarded fragment of first-order logic. 


5.2. Hybrid Languages 


Our framework has connections with the work on what are called hybrid languages, 
which are languages that like £; also combine modality with first-order quantification 
mechanisms [4,2]. In particular, hybrid languages extend the basic modal language Lo, 
with a collection of nominals that are used to label states in models. These nominals are 
propositional formulae that are true at exactly one state in a model, and so to speak are 
employed as global unique names for states. Further extensions additionally incorporate 
operators of the form @; to jump to the state that is denoted by the nominal 2, as well as 
operators to bind nominals. Here we consider the two fundamental ones of these binding 
operators; viz. the hybrid operator | x and the hybrid existential quantifier, which we 
denote as Jz to distinguish it from the quantifier Ja from Ly. 

First of all, the quantifier | x binds the variable x to the current state of evaluation. 
It can be defined in the language £, as follows: 


lep = da(a = self A vy). 


Moreover, it corresponds to existential quantification in the class of structures in which 
the neighbourhood of states is given by the state itself; that is, in the class: 


{M|M | Ja(a = self \ Vy(y = 2))}. 


Additionally, the hybrid quantifier Ja ranges over the entire set of states in a struc- 
ture. If we consider this operator in our framework, it corresponds to existential quan- 
tification in the class of structures in which the neighbourhood relation is universal, 
meaning that each state is in the neighbourhood of any other state. This class can be 
defined as follows: 

{(W,r,n) |n=W x WH. 
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The language £; is not expressive enough to characterise the above class of models, as 
this type of existential quantification assumes an external view on models rather than 
the local view that has been taken in our framework. 

Finally, we mention the hybrid operator @,, that is used to jump to the state denoted 
by the variable x. The truth definition of this operator can be given as follows: 


M,w, f F @,9 & M, f(z), f FY: 


This operator has no counterpart in our framework due to the fact that in each state, 
it allows going to states that are not necessary reachable via the accessibility relation. 
This is in contrast with one of our underlying assumptions, saying that in a state one 
cannot go to arbitrary states but only to an accessible one. 


5.3. Finite Model Property and Decidability 


The language £, does not satisfy the finite model property, which is due to the fact that 
it can compel infinite neighbourhoods. Let R(x, y) stand for the formula: 


O(x = self \ Oy = self), 


which expresses that from the accessible state x the state y is accessible. Subsequently, 
let y denote the conjunction of the following formulae 4a(x = 2), which expresses that 
a neighbourhood is nonempty, Vx(—R(z, x)) expressing the irreflexivity of the relation 
R, VaVyVz((R(a,y) A Rly, z)) — R(a, z)) denoting transitivity and Vrdy(R(a, y)) 
expressing seriality. If this formula is true in a particular state w then the neighbour- 
hood of this state is infinite. The construction of this neighbourhood {v1, v2, v3, ...} is 
sketched in figure 4. 


U1 V2 U3 


Fig. 4. An infinite neighbourhood 


Moreover, it follows that the validity problem of the the language £, is undecidable. 
In fact, this is a direct consequence of the result claimed in [2], which says that the 
hybrid language consisting of the basic modal language Lo extended with variables and 
the operator | x, is undecidable. The claim then follows from the fact that this hybrid 
language is a sublanguage of £1; 1.e., hybrid formulae of the form | «y can be modelled 
in £, as da(x = self Ay). 

The interesting question now arises of the role of the constant self in this result. Cur- 
rently, we are investigating the expressivity and complexity of the language £; without 
this constant. Here, we only mention that this sublanguage does not satisfy the finite 
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model property either, which can be shown in a similar manner as above, using the 
following definition: 


R(w,y) = Oulu = 2) AQGu(u = y))). 


Thus, R(x, y) expresses that y is known in a state that can be accessed from some 
accessible state (with respect to the current state) in which x is known. 


6 Topologies of Multi-agent Systems 


In this section, we consider an application of our logic to the description of multi-agent 
topologies. More specifically, we show how our basic notion of quantification can be 
used in reasoning about the ambiguities of names; that is, situations in which one agent 
is known by other agents under different names. 

Formally, we extend our language £; with a countable set C of names, with typical 
element c. A term ¢ in the extended language, which is called Lo, is thus either a variable 
x, the constant self, or a name c € C. Formulae are defined as in Definition 5 and they 
are interpreted over the following structures. 


Definition 19 A multi-agent topology over the set of names C’ is a structure: 
(W, Tr, I), 


where W is a set of states, or agents, r C W x W denotes the accessibility relation, 
and I is a total function which assigns to each w € W an interpretation [(w) of each 
name c € C, that is, I(w) € C > W. 


The definition of the truth of a formula y in the extended language £2 involves a 
straightforward adaptation of the truth definition of the language £, and is therefore 
omitted. Instead, we explain here the use of quantification in the description of the am- 
biguities to which names may give rise. First, we observe that without quantification 
we cannot describe phenomena like that one agent is known by different agents under 
different names. For example, given an agent w, we cannot describe the situation that 
I(w)(c) = I(w’)(c), for some (w,w’) € r, simply because the modal operators in- 
duce a “context switch’, that is, a different interpretation of the names. However this 
situation can be described using quantifiers simply by the formula: 


da(a@ =cAQ(a% =c)). 


So, we bind the value of the constant c to the variable x, and use the fact that the 
interpretation of the variables is fixed, that is, does not change when “moving” from 
one agent to another. 

In practice, we may assume without loss of generality that the set C’ of names 
is finite. Under this assumption we can, without loss of expressive power, restrict to 
bounded quantification of the form: 


da(a =cAy). 


For this language the validity problem is decidable. We are currently working on a 
decision procedure that is based on a semantic tableau construction. 


7 
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Future Research 


Many issues remain to be studied such as expressivity and complexity results and the 
development of a complete axiomatization of (sublanguages of) the language £1. Other 
topics of interest include the introduction of predicates to describe properties of agents, 
for example properties expressing security aspects. Additionally, we want to investigate 
the introduction of the inverse ©~! and the reflexive, transitive closure * of the oper- 
ator ¢ for describing properties of network topologies. A final issue is the study of the 
connection with epistemic logic [12]. 
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Abstract. The beliefs of the agents in a multi-agent system have been formally 
modelled in the last decades using doxastic logics. The possible worlds model and 
its associated Kripke semantics provide an intuitive semantics for these logics, 
but they commit us to model agents that are logically omniscient. We propose 
a way of avoiding this problem, using a new kind of entities called subjective 
situations. We define a new doxastic logic based on these entities and we show 
how the belief operators have some desirable properties, while avoiding logical 
omniscience. A comparison with two well-known proposals (Levesque’s logic of 
explicit and implicit beliefs and Thijsse’s hybrid sieve systems) is also provided. 


1 Introduction 


In the last decade doxastic modal logics have been considered the most appropriate for- 
mal tool for modelling the beliefs of the agents composing a multi-agent system ([1]). 
The standard way of providing a meaning to the modal formulas of these logics is to 
use the possible worlds model ({2]) and its associated Kripke semantics ([{3]). This se- 
mantics is quite natural and intuitive, but it is well known that the agents modelled in 
this framework are logically omniscient ([4]). Therefore, this semantics is unsuitable 
to model the beliefs of realistic, non-ideal agents. The aim of our work is to provide a 
plausible way of modelling the beliefs of non-logically omniscient agents, while keep- 
ing the essence and the beauty of the possible worlds model and the Kripke semantics. 

This article! is structured as follows. In section 2 we give an intuitive explanation 
of our approach to the logical omniscience problem, which is based in a new kind of 
entities called subjective situations. In a nutshell, a subjective situation is the perception 
that an agent has of a certain state of affairs. These situations, as will be explained 
below, will take the role of possible worlds. In section 3, a formalization of subjective 
situations in the framework of doxastic propositional logic is made. Section 4 is devoted 
to a study of the behaviour of the modal belief operators, that extends and generalizes 
our previous results ([5]). It is shown how their properties do indeed correspond with 
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our intuitions about what should be an adequate formalization of the doxastic attitude of 
a non-ideal, non-logically omniscient agent. In section 5, a comparison of our proposal 
with two well-known approaches (Levesque’s logic of explicit and implicit beliefs ([6]) 
and Thijsse’s hybrid sieve systems ([7])) is performed. The paper finishes with a brief 
summary and the bibliographical references. 


2 Motivation of Subjective Situations 


The most popular way of dealing with the logical omniscience issue is to change the 
concept of what a possible world is (see [8] for a detailed review of the most interesting 
approaches to the problem of logical omniscience). Regardless of the way in which the 
concept of possible world is modified, there is a kernel that never changes: the formal 
representation of a possible world is not related in any way with the notion of agent. 
Thus, it may be said that all the approaches in the literature present an objective view 
of what a possible world is (i.e. a world is the same for all the agents, is independent 
of them). In a standard Kripke structure, the only item that depends on each agent is its 
accessibility relation between possible worlds. 

The traditional meaning assigned to the accessibility relation R; of an Agent; is that 
it represents the uncertainty that Agent, has about the situation in which it is located 
(e.g. (wo Rs5w1) means that Agents cannot distinguish between worlds wo and w}). 
This situation is quite peculiar, because the formulae that are true in two worlds that are 
linked by an accessibility relation are, in principle, totally unrelated (i.e. given a Kripke 
structure, there is no relationship between the accessibility relation between states and 
the function that assigns truth values to the basic propositions in each of them). 

Our proposal may be motivated by the following scenario. Imagine two people (a 
and (3) that are watching a football match together. In a certain play of the game, a fault 
is made and the referee awards a penalty kick. a thinks that the referee is right, because 
it has noticed that the fault was made inside the penalty area (let us represent this fact 
with proposition P); at the same time, ( is thinking that the referee was wrong because, 
in its perception of the situation, the fault was made just an inch outside the penalty area. 
How can this situation (and the beliefs of the two agents) be formally represented? 

Following the standard approach, we could model the fact that a believes P and 3 
believes —P by assuming that in all the (objectively described) worlds considered as 
possible in the current state by a the proposition P holds, whereas in all the worlds 
considered as possible by (3 ((’s doxastic alternatives) P is false. This account of each 
agent’s doxastic state does not seem very satisfactory to us, at least for two reasons: 


— It does not tell us how each agent’s perception of the situation influences in its own 
beliefs. An agent is supposed to eliminate instantly from its set of doxastic alterna- 
tives all those (completely specified) possible worlds in which a basic proposition 
has a truth value that does not match the agent’s current beliefs. It would be more 
plausible to have a framework in which the agent kept a partial description of the 
situation in which it is located, and in which it could use the facts that it keeps 
perceiving from the environment in order to keep increasing and refining its beliefs 


([9], [10]). 
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— Assuming that the fault was indeed made inside the penalty area, most philosophers 
would argue that a not only believes P but also knows it (being P true in the real 
world), whereas (3 believes —P but can not possibly know —P, being it actually 
false”. Thus, in a somehow magical way, one agent would have some knowledge 
(that would coincide with reality) whereas the other wouldn’t. 


In our opinion, this state of affairs (the actual situation, comprising both the football 
match and the agents, along with their beliefs) may not be adequately described with a 
simple assignment of truth values to the basic propositions. Even if we had an accurate 
description of the real world, does it really matter very much whether the fault was 
made inside the penalty area in order to model the beliefs of the two agents involved in 
the scene? 

The situation (s) is obviously the same for the two agents a and ( (they are watching 
the same match together). From a’s point of view, the description of s should make 
true proposition P; however, from (3’s perspective, in the present situation P should be 
considered false. Obviously, there would be many aspects of s in which a and 3 would 
agree; e.g. both of them would consider that the proposition representing the fact “We 
are watching a football match on TV” is true in s. 

As far as beliefs are concerned, we argue that, in this situation, a should be capable 
of stating that B,P (a has seen the fault and has noticed that it was made inside the 
penalty area; thus, it believes so). It would not seem very acceptable a situation in which 
a perceived the fault to have been made inside the penalty area and defended that it did 
not believe that a penalty kick should have been awarded (the only possible explanation 
being that a is a strong supporter of the offending team). It also seems reasonable to 
say that a cannot fail to notice that it believes that the fault was made inside the penalty 
area; thus, a may also assert in s that B, B,P. In a similar way, in this situation 3 
cannot state that BgP (3 cannot defend that it believes that the referee is right, in a 
situation in which it perceived the fault to have been made outside the penalty area). 
Thus, it seems clear that each agent’s point of view on a situation strongly influences 
(or we could say even determines) its positive and negative beliefs in that situation. 

In our framework we want to include the intuition that agents are smart enough 
to know that other agents may not perceive reality in the same way as they do. In the 
previous example, without further information (e.g. a shouting “Penalty!’’), 3 should 
not be capable of supporting (or rejecting) that 6, P; analogously, a could not affirm 
(or deny) that Bg P. That means that the communication between the agents is the main 
way in which an agent may attain beliefs about other agent’s beliefs. We could have 
chosen other alternatives; for instance, we could have stated that an agent believes that 
the other agents perceive reality in the same way as they do, provided that they do not 
have information that denies that fact. If that were the case a would assume that (3 also 
believes that P is true, as far as it does not have any reason not to think so (e.g. 3 saying 
“This referee is really blind”). 


? It could be argued that we are somehow neglecting the need of a justification for the belief 
in order for it to become knowledge (as knowledge is usually defined in the philosophical 
literature as true justified belief). But, what could possibly count more as a justification that 
each agent’s own direct perception of the situation? 
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A final reflection on the meaning of the accessibility relation between situations 
for Agent; (R;) is necessary. It will be assumed that an agent cannot have any doubts 
about its own perceptions and beliefs in a given state. E.g. if, in situation s, a looks at 
the match and thinks P, then it surely must realise this fact and believe P in s (and even 
believe that it believes P, were it to think about that). Thus, if R, links s with all those 
situations that a cannot tell apart from s, it must be the case that a also perceives P as 
true in all those states as well (otherwise, those states would be clearly distinguishable 
by a, because in some of them it would support P whereas in some of them P would 
be rejected). The only uncertainty that a may have is about the perception of s by the 
other agents. In the example, a does not know whether it is in a situation in which 3 
supports P or in a situation in which ( rejects P. Therefore, a’s accessibility relation 
must reflect this uncertainty. 

Summarising, the main points that have been illustrated with the previous discussion 
are the following: 


— A situation may be considered not as an entity that may be objectively described, 
but as a piece of reality that may be perceived in different ways by different agents. 
Thus, it is necessary to think of a subjective way of representing each situation, in 
which each agent’s point of view is taken into account. In the previous example, 
the description of s should include the fact that a is willing to support P, whereas 
G isn’t. 

— An agent’s beliefs in each situation also depend on its point of view. 

In the situation of the example, BP would hold from a’s perspective, whereas 
it would not be either supported or rejected by 3. Thus, we argue that it does not 
make sense to ask whether B, P holds in s or not; that question must be referred to 
a particular agent’s point of view. 

— The interpretation of the meaning of each agent’s accessibility relation is slightly 

different from the usual one. 
Each accessibility relation R; will keep its traditional meaning, i.e. it will represent 
the uncertainty of Agent, with respect to the situation in which it is located. How- 
ever, our intuition is that an agent may only be uncertain about the other agents’ 
perception of the present state, not about its own perception. 


3 Formalization of Subjective Situations 
These intuitive ideas are formalized in the structures of subjective situations: 


Definition 1 (Structure of Subjective Situations) 
An structure of subjective situations for n agents is a tuple 


< S$, Ry,...,Rna,Ti,...Tn, Fi, ..., Fn >, where 


— S is the set of possible situations. 

— R, is the accessibility relation between situations for Agent. 

— T; is a function that returns, for each situation s, the set of propositional formulae 
that are perceived as true by Agent; in s. 
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— F;, is a function that returns, for each situation s, the set of propositional formulae 
that are perceived as false by Agent; in s. 


E is the set of all structures of subjective situations. 


The presence of J; and F; allows Agent; to consider partial situations (those in 
which Agent, does not have any reason to support or to reject a given formula) as well 
as inconsistent situations (those in which Agent; may have reasons to support and to 
reject a given formula). This kind of situations was already considered by Levesque in 
his logic of explicit and implicit beliefs ((6]). A detailed comparison of our proposal 
and that of Levesque is offered in section 5. 

The accessibility relation between situations for Agent, has to reflect its uncertainty 
about the way in which the actual situation is perceived by the other agents. Thus, FR; has 
to link all those states that Agent; perceives in the same way but that may be perceived 
in different ways by other agents. This intuition is formalized in the following condition: 


Definition 2 (Condition on Accessibility Relations) 
Vs,teS, (sR,t) if and only if (T;(s) = Ti (t)) and (F;(s) = F;(t)) 


This condition implies that the accessibility relations are equivalence relations. This 
result links this approach with the classical S5 modal system, in which this condition 
also holds. In S5 the presence of this condition makes true axiom 4 (positive intro- 
spection), axiom 5 (negative introspection) and axiom T (the axiom of knowledge); the 
modal operators of the system proposed in this article will have similar properties, as 
will be shown in section 4. 


3.1 Satisfiability Relations 


A simplified version of the doxastic propositional language for n agents is considered, 
as shown in the following definition: 


Definition 3 (Doxastic Modal Language CL) 

Consider a set of modal belief operators for n agents (Bj, .... By). L is the lan- 
guage formed by all propositional formulae (built in the standard way from a set P 
of basic propositions and the logical operators —,\,/\,—), preceded by a (possibly 
empty) sequence of (possibly negated) modal operators. Lpc is the subset of £ that 
contains those formulae that do not have any modal operator. The modal formulae of L 
are called linearly nested. 


Thus, the language £ contains formulae such as P, B3Q, Bi Bs(RV T), B37BoS 
and —B, B,—=T, but it is not expressive enough to represent formulae such as (By P > 
B3Q) or (P V BsQ). In most practical applications, an agent in a multi-agent system 
will only need to represent what it believes (or not) to be the case in the world and 
what it believes (or not) that the other agents believe (or not). This is just the level of 
complexity offered by linearly nested formulae. 
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In an structure of subjective situations each Agent; may have positive and negative 
information about some propositional formulae (given by 7; and F;, respectively). This 
allows us to define two relations (of satisfiability, —=;, and unsatisfiability, =|;) between 
situations and formulae for each Agent;. Given an structure of subjective situations E 
and a situation s, the expression F',s -; @ should hold whenever Agent; has some 
reason to think that ¢ is true in situation s. Similarly, E, s 4; ¢ should hold whenever 
Agent, has some reason to reject ¢ in situation s. 

Notice that E', s (4; ¢ should not imply that F', s 4; ¢ (i.e. Agent; not having any 
reason to support ¢ does not mean that it must have reasons to reject it). In the same 
spirit, E,s /; ¢ should not imply that EF, s A; ¢ (Agent, could have reasons both to 
support and to reject a certain formula in a given situation). These facts will indeed be 
true, as will be seen in the next section, due to the presence of partial and inconsistent 
situations commented above. 


The clauses that define the behaviour of these relations are shown in the following 
definition: 


Definition 4 (Relations =; and =;) 


-— VEcE,VseS, Vagent 1, VoeL£L po 


E,s i b > deT;(s) 
E,s i 6 > ¢eF;(s) 


— VEcE,VseS, Vagents 1,7, VoeL 


E,s =; By¢ = VteS ((sRit) implies E,t =; ¢) 
E, cH B;o 6 dteS ((sR;t) and E,t =; ¢) 


— VEcE,VseS, Vagents 1,7, Voe£L 


E,s F=4 50 & E,s Fi B;o 
E,s>i7 i509 & E,s KE; Bo 


A propositional formula ¢ is supported in a given situation s by an Agent; if and 
only if Agent, has reasons to think that ¢ is true in s. Analogously, ¢ will be rejected 
if and only if there are reasons that support its falsehood (recall that a formula may be 
both supported and rejected in a given situation). As far as beliefs are concerned, in a 
given situation s, Agent; supports that Agent; believes ¢ just in case Agent; supports 
¢ in all the situations that are considered possible by Agent; in s (Agent;’s doxastic 
alternatives). Similarly, Agent; may reject the fact that Agent; believes ¢ if it may 
think of a possible situation in which Agent; rejects ¢. Finally, Agent; will support 
that Agent; does not believe ¢ if it may reject the fact that Agent; believes ¢. We do 
not need more clauses to define the behaviour of the satisfiability and unsatisfiability 
relationships due to the restriction to linearly nested formulae imposed in definition 3. 
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4 Properties of the Belief Operators 


The definition of an structure of subjective situations, the fact that the accessibility 
relations are equivalence relations and the clauses that describe the behaviour of the 
satisfiability (and unsatisfiability) relations compose a framework in which the modal 
belief operator of each Agent; has several interesting logical properties (that, in our 
opinion, make it an appropriate operator to model the notion of belief for a non-ideal 
agent). Some of these properties are described in this section. 


4.1 General Results 


Proposition 1 (Lack of Logical Omniscience) 
In the framework of subjective situations, none of the following forms of logical 
omniscience ([8]) holds: 


— Full logical omniscience. 

— Belief of valid formulae. 

— Closure under logical implication. 
— Closure under logical equivalence. 
— Closure under material implication. 
— Closure under valid implication. 

— Closure under conjunction. 
Weakening of beliefs. 

Triviality of inconsistent beliefs. 


Proof. Let us take a state s in which T;(s) = {P,(P — Q), =P} and F;(s) = {P}. 
Consider an structure for subjective situations / that only contains the situation s. 


E,s |; BP and E,s —; B;(P — Q) hold, but F,s —; B;Q does not hold. 

Therefore, neither full logical omniscience nor closure under material implication 

hold. 

- E,s -; Bi(Q V 7Q) does not hold. Therefore, there is no belief of valid formulae. 

- E,s ; B;P holds, but E,s —; B;(P V Q) does not hold. Therefore, closure 
under logical implication and weakening of beliefs do not hold. 

- E,s -; Bi(P — Q) holds, but E,s -; Bj(-Q — —P) does not. Therefore, 
beliefs are not closed under logical equivalence or under valid implication. 

- E,s —; B;P and E,s -; B;(P — Q) hold, but the expression E,s -; B;(P A 
(P — Q)) does not hold. Therefore, there is no closure under conjunction. 

- E,s ; B;P and E,s =; B;-P hold, but E,s &; B;Q does not hold. Therefore, 

there is no triviality of inconsistent beliefs. 


There are two basic reasons that account for the failure of all these properties: 


— J; and Ff; are defined on sets of (arbitrary) formulae (not on basic propositions). 
— JT, and Ff; are unrelated. Thus, a given formula may belong to both sets, to only one 
of them or to none of them. 
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It is possible to impose any of the above properties on the belief operators by re- 
quiring these sets of formulae to satisfy some conditions (for instance, if (¢ A ~)eT;(s) 
implies that ¢eT;(s) and eT; (s), then Agent,’s belief set would be closed under con- 
junction). 


Proposition 2 (Relation between =; and =;) 


For any linearly nested formula ¢ 
E, s 4; ¢ does not imply E, s 4; ¢ 
E,s &; ¢ does not imply E,s A; ¢ 


Proof. Take the structure of subjective situations £ described in the proof of the 
previous proposition. It is easy to check these facts: 


- E,s |K; BiRand E,s A; B,R. Therefore, FE, s |4; d does not imply E, s +; ¢. 
— E,s |; B,;P and E,s +; B;P. Therefore, E,s —; ¢ does not imply E,s A; 
Qo. 


4.2 Results on Positive Introspection 


Proposition 3 (Characterization of positive beliefs) 
For any linearly nested formula @, 


E,s —; ¢ ifand only if E,s =; Bid 


Proof: The if side of the formula coincides with proposition 4. The only if side may 
be proven as follows: 

E,s&; Bid => Vt(sR;t),(E,t Ki 6). As R; is reflexive, (sR;s); therefore, 
EB 58 Fi og. 

This result states that Agent; believes ¢ in state s if and only if ¢ is one of the 
facts that is supported by Agent; in that state*. Thus, in our framework the difference 
between belief and knowledge vanishes: both concepts have to be understood as the 
propositional attitude that the agents adopt towards those formulae that they perceive 
to be true in the environment. Therefore, the (rather philosophical) difference between 
those beliefs that are true in the real world (that constitute knowledge) and those that 
are not (plain beliefs) is not taken into account. 


Proposition 4 (Belief of supported formulae) 


For any linearly nested formula @, 
E,s =; dimplies E,s =; Bid 


Proof: There are five cases to be considered: 


— ¢is a propositional formula. 
E,s ,; ¢and ¢ is propositional => ¢eT;(s) => Vt(s Rit), deTi(t) 
= Vt(sR;t), E,t E; d E,s =; Bio 


3 The “only if” side of the proposition is the classical axiom of knowledge, axiom T. 
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If ¢ is a modal formula that starts with an affirmed belief operator B; (i.e. 6 = 
By), this fact is exactly the next proposition. 

If @ is a modal formula that starts with an affirmed belief operator B; (i.e. ¢ = 
B;w), this statement coincides with proposition 6, that will be proved later. 

If @ is a modal formula that starts with a negated belief operator B; (ie. 6 = 
= B,), this fact is the one proved as proposition 10. 

If ¢ is a modal formula that starts with a negated belief operator B; (i.e. ¢ = 
—B;w), this fact is the one proved as proposition 11. 


This proposition is telling us that an agent believes all formulae that it has reasons to 
support, as suggested in the motivating example. However, this proposition has an added 
value over our intuitions, because it refers to any kind of linearly nested formulae, and 
not only to propositional formulae. 


Proposition 5 (Single-agent positive introspection) 


For any linearly nested formula @, 
E,s —; Bid implies E,s =; B,;Bid 


Proof: lf E,s -; B;¢@, that means that E,s —; ¢ holds in all the situations R;- 
related to s. Being R; an equivalence relation, these situations are exactly the ones 
included in the equivalence class of s induced by f;. This class is also the set of situa- 
tions that may be accessed from s in two steps (in fact, in any number of steps) via R;, 
and ¢ is supported by Agent; in all of them. Thus, Vs'(sR;s’)Vs"(s’ Ris” )E, s” -; &, 
and FE, s -; B;B;¢ also holds. 

This proposition states that axiom 4 (the classical axiom of positive introspection) 
holds for each belief operator B; (i.e. every agent has introspective capabilities on its 
own positive beliefs). 


Proposition 6 (Generation of positive beliefs) 


E,s |; Bd implies E,s -; B:Bjo 


Proof. E,s -; Bjd => Vt(sRit),E,t &; ¢. Thus, E,t -; ¢ holds in all 
the worlds t that belong to the same equivalence class that s (considering the partition 
defined by R;). Therefore, in all the worlds accessible from s via R; in any number n 
of steps, Ht -; @. Taking the case n = 2, we obtain that F's -; B;B;¢. 

If an agent has reasons to support a certain belief of another agent, then that belief 
will be included in its belief set. 


Proposition 7 (Inter-agent positive introspection) 


E,s |; Bd implies E,s =; Bj; B;o 


Proof. E,s =; Bj¢ => Vt(sR,t), E,t -; ¢. Using the result given in proposi- 
tion 4, that formula implies that Vi(sR,t), E,t &; B,; thus, E,s -; B;B;¢. 
This result is more general (proposition 5 reflected the case 1 = 7). It states that 
each agent is aware of the fact that the other agents also have introspective capabilities. 
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Proposition 8 (Multi-agent positive introspection) 
It does not hold (for three different agents Agent;, Agent; and Agent, and a lin- 
early nested formula ) that 


E,s —; Bd implies E,s -; B,B;o 


Proof: We will show a counterexample. Take an structure for subjective situations 
with two situations, s and t, such that (sR,t) holds, but (sR;t) and (sR;t) do not. Take 
a formula ¢ such that ¢eT7;(s) and ¢@ £7; (t). In this state of affairs, E,s FE; Bj holds 
but Fs —; ByB;¢ does not hold. 

This proposition states a negative result. It is telling that even if Agent; has reasons 
to support that Agent; believes something, that is not enough for Agent, to think that 
any other Agent, will have that belief. This proposition is essentially expressing the 
uncertainty of Agent; about the beliefs of a different Agent,. 


4.3 Results on Negative Introspection 


Proposition 9 (Characterization of negative beliefs) 
For any linearly nested formula @, 


E,s 4; ¢ if and only if E,s -; ~Bid 


Proof: The if side of the proposition may be proven as follows. As we know that 
E,s +; ¢and (sR;s), it may be said that 4t(sR;t), E,t 4; ¢. Therefore, FE, s 4; Bd, 
which is equivalent to E,s =; ~B,¢. 

The only if side of the proposition (i.e. F,s -; -~B;¢ implies Es 4; ¢) will be 
proved considering five different cases (as we did in the proof of proposition 4): 


— ¢is a propositional formula. 
E,s —; ~Bid E,s 4; Bid 4t(sR;t), E,t 4; ¢. As ¢ is propositional, 
E,t +; ¢ implies that de F;(t); as (sR;t), beF;(s). Therefore, E,s 4; ¢. 

— gis a modal formula that starts with an affirmed belief operator B; (1.e. 6 = Bw). 


E,s i -Bid => Es Fi ~Bi Bip > E,s =i BiB = 
St(sR;t), E, t=; By = at, u(sR;t), (tR;u), EB, Uh w. 


As R; is transitive, (sR;t) and (tR;u) imply that (sR;u). Thus, we may state that 
du(sR,u), E,u 4; wv. Therefore, E,s 4; By, which is equal to E,s +; ¢. 
— @is a modal formula that starts with an affirmed belief operator B; (i.e. @ = B;w). 


E,s A AB,¢ => E,s 4 AB; Bip => E,s >; B Bip => 
dt(sR;t), E,t Ss, By — at, u(sR,t), (tRiu), E,u S; v. 


As R; is transitive, (sR,;t) and (tR;u) imply that (sR;u). Thus, we may state that 
du(sR,u), £,us, ~. Therefore, E, s 4; Bj, which is equal to E, s 4; ¢. 
— gis a modal formula that starts with a negated belief operator B; (i.e. 6 = 7B;w). 
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E,s i -Bid = E,s Ki ~ BH By = E,s +; Bi- Bi) => 
dt(sR;t)Vu(tRiu), B,u -; wy. 


In this expression, ¢ is a world that belongs to the same class of equivalence than 
s (according to the partition defined by R;), and u represents all the worlds that 
belong to t’s class of equivalence; thus, wu ranges over all the worlds belonging to 
s’s Class of equivalence (all the worlds that are accessible from s via R; in any 


number n of steps). If we take n = 1, we get that Vt(sR;t), E,t 
E,; B;w, which is equivalent to EF, s = 
@ is a modal formula that starts with a negated belief operator B; (i.e. 6 = ~B;w). 


E,s 


; 7B;,wW. Therefore, E,s + 


E,; w. Thus, 
id. 


EB, 8S Fi AB = E, 8S Fi AB, By = 
E,s +; BB = Ft(sR;t), E,t 5; ABs => 
At(sR;t), E, t=; Byy => St(sR;t)Vu(tR;u), B, U Fj w. 


In this expression, ¢ is a world that belongs to the same class of equivalence than 
s (according to the partition defined by R;), and u represents all the worlds that 
belong to t’s class of equivalence; thus, wu ranges over all the worlds belonging to 
s’s Class of equivalence (all the worlds that are accessible from s via R; in any 


number n of steps). If we take n = 1, we get that Vt(sR,t), E,t 
-; Bj, which is equivalent to FE, s 


E,s 


; 7B,;w. Therefore, F, 5s 5 


F; w. Thus, 
id. 


Agent, does not believe ¢ at s if and only if ¢ is one the facts that is rejected by i 
at s. Again, this proposition agrees with the intuitions that we had in the example that 
was used to motivate the need for the framework of subjective situations. 


Proposition 10 (Single-agent negative introspection) 


Proof: E, s 


E,s 


F; Bid 


E,ss 


E; ~B,¢ implies E, s 


i Bid 


At(sR;t),(£,t 
ists at least one world (say w) such that (sR;w) and E,w > 


F; BiwBid 


; b). Thus, there ex- 
; @. In order to prove 


the proposition, we have to notice that R; is Euclidean (i.e. whenever (sR;t) and 
(sR;u), (tR;u) also holds)*. Therefore, w is R; accessible from all worlds that are 


R; accessible from s, and we may state that Vé(sR;t), (tR;w) and E,w 
a Q. Thus, Vt(sR;t) E,t = 
E:; —B;@. Therefore, we have shown that E, s 


Vt(sR;t) J 
Vt(sR;t) E,t 


u(tRuE,u = 


ip. Thus, 


; Bid, which is equivalent to 


F; BiwBi¢. 


This proposition states that axiom 5 (the classical axiom of negative introspection) 
holds for each belief operator B; (i.e. every agent has introspective capabilities on its 
own negative beliefs). 


Proposition 11 (Generation of negative beliefs) 


E,s 


=; ~B;¢ implies E, s 


Fi Bi Bj 


* It is easy to prove that any relation that is symmetric and transitive is also Euclidean. 
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Proof. E,s i ~B;¢ E,s +; Byo dt(sR,t),E,t 4; @. Let us call w to 
any of the worlds referred to by this existential quantifier. Being R; Euclidean, we know 
that Vt(sR;t), (tR,w); therefore, we may say that Vt(sR;t)Jdu(tR;u), E,u Ss, ¢. Thus, 
Vt(sR,t),E,t 4; B;o, which is equivalent to Vt(sR,t),E,t -; 7B; ¢. Therefore, 


E, SFiy Bj7 iP. 


This proposition is expressing the fact that Agent; can make positive introspection 


on negated beliefs of other agents. 


4.4 Summary of the Main Properties 
Summarising the main results shown in this section: 


— All forms of logical omniscience are avoided. 


None of the restricted forms of logical omniscience usually considered in the lit- 
erature holds in the framework of subjective situations. This result is due to the 
presence of partial and inconsistent situations and to the fact that the description 
of a situation is formed with positive and negative information about propositional 
formulae (and not about basic propositions). 

Each agent is aware of its positive and negative beliefs, and is also aware of the fact 
that the other agents enjoy this introspective capability. 

However, an agent is uncertain about the way the present situation is perceived by 
other agents and, therefore, it is unable to know anything about the other agent’s 
beliefs. 

The positive and negative beliefs of an agent in an state reflect, as our intuitions 
suggested, the facts that are taken as true or false by the agent in that state. 

Thus, an agent’s perception determines its beliefs in a given situation, as it might 
be expected. 


5 Comparison with Previous Proposals 


The most outstanding difference of our proposal with previous works ([8]) is the idea of 
considering subjective situations, that may be perceived in different ways by different 
agents. Technically, this fact implies two differences of our approach with respect to 


others: 


— A situation is described with two functions (J; and F;) for each Agent;. 


Thus, we take into account each agent’s perception of the actual situation, consid- 


ering a subjective description of each state. 
— Two satisfiability and unsatisfiability relations between situations and formulae ( 
and =;) are also defined for each agent. 


Having a subjective description of each state, it makes sense to consider satisfiabil- 


ity relations that depend on each agent. 


The rest of the section is devoted to the comparison of our proposal with the two 
approaches to the problem of logical omniscience with which it shares more similar- 
ities: Levesque’s logic of explicit and implicit beliefs ({6]) and Thijsse’s hybrid sieve 


systems ([7]). 
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5.1 Levesque’s Logic of Implicit and Explicit Beliefs 


Levesque uses a language with two modal operators: B for explicit beliefs and L for 
implicit beliefs. These operators are not allowed to be nested in the formulae of the 
language. A structure for explicit and implicit beliefs is defined as a tuple M=(S, B, 
T, F), where S is the set of primitive situations, 6 is a subset of S that represents the 
situations that could be the actual one and T and Fare functions from the set of primitive 
propositions into subsets of S. Intuitively, T(P) contains all the situations that support 
the truth of P, whereas F(P) contains the ones that support the falsehood of P. A 
situation s can be partial (if there is a primitive proposition which is neither true nor 
false in s) and/or incoherent (if there is a proposition which is both true and false in s). 
A situation is complete if it is neither partial nor incoherent. A complete situation s is 
compatible with a situation t if s and t agree in all the points in which tis defined. 6* is 
the set of all complete situations of S that are compatible with some situation in B. 
The relations 7 and Ep between situations and formulae are defined as follows: 


i] 
z 


Er P, where P is a primitive proposition, if and only if s e T(P) 
[=r P, where P is a primitive proposition, if and only if s « F(P) 
- M,s =r 7 ¢ if and only if M,s Er yp 

- Ms =r —¢v if and only if Mss Er vy 

- Ms Er (yp Av) if and only if Mss Er y and Ms Er w 

- Ms Er (vy Av) if and only if Mss Er y or Mss Er 

- Ms -_r By if and only if M,tEr y VteB 

-— M,s Er By if and only if M,s Ar By 

- Ms -r Ly if and only if M,t=r vy Vteb* 

- Ms Fr Ly if and only if M,s Fr Ly 


i] 
s 


There are some similarities between our approach and Levesque’s logic of implicit 
and explicit beliefs. However, they are more apparent than real, as shown in this listing: 


Levesque also considers a satisfiability and an unsatisfiability relation between sit- 
uations and doxastic formulae. 
However, these relations are not considered for each agent. 
— Levesque also describes each situation with two functions J and F. 
These functions are not indexed by each agent, as our functions are (Levesque con- 
siders an objective description of what is true and what is false in each situation). 
Another important difference is that Levesque’s functions deal with basic proposi- 
tions, and not with formulae as our functions do. 
— Both approaches allow the presence of partial or inconsistent situations. 
However note that, in our case, it is not the (objective) description of the situation 
that is partial or inconsistent, but the subjective perception that an agent may have 
of it. Thus, the notions of partiality and inconsistency have a much more natural 
interpretation in our framework. 
— Both approaches avoid all the forms of logical omniscience. 
The reason is different in each case, though. In Levesque’s logic of explicit and 
implicit beliefs, it is the presence of incoherent situations that prevents logical om- 
niscience. In our proposal, there is no need to have inconsistent situations to avoid 
logical omniscience. In fact, we solve that problem by defining 7; and F; over 
arbitrary sets of formulae, and not over basic propositions. 
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— There are accessibility relations between situations for each agent in both systems. 
Levesque’s accessibility relation between situations is left implicit; our accessibil- 
ity relations are explicit. Furthermore, the intuition underlying these relations is 
somewhat different, as explained in section 2. 


Other differences with Levesque’s approach are: 


Levesque only considers one agent, and does not allow nested beliefs. Thus, his 
agents do not have any introspective capabilities. 

Levesque defines explicit and implicit beliefs, whereas we do not make this distinc- 
tion. 

Even though Levesque avoids logical omniscience, his agents must necessarily 
believe all those tautologies that are formed by known basic propositions (those 
propositions P for which the agent believes (P V —P)), regardless of their com- 
plexity. This is not the case in our approach, because we deal directly with formulae. 
There is a different treatment of the unsatisfiability relation when applied to beliefs, 
because he transforms = into 4, whereas we do not. 


5.2 Thijsse’s Hybrid Sieve Systems 


Thijsse ((7]) proposes a way of using partial logics to deal with various forms of logical 
omniscience. He defines a partial modelas a tuple (W, B1,..., Bn, V), where W isa set 
of worlds, 6; is the accessibility relation between worlds for Agent; and V is a partial 
truth assignment to the basic propositions in each world. T is a primitive proposition 
that is always interpreted as true. Truth (|=) and falsity (=) relations are defined in the 
following way: 


Mw ET 
- MwAT 
- M,wE P, where P is a primitive proposition, iff V (P, w) 
- M,w  P, where P is a primitive proposition, iff V(P, w) 
- M,wE -¢ iff Mw s 

- M,wS -¢ iff Mw Ee 

- MwwE (py Av) iff MwE vy and MwkE wp 

- Mw (vA v) iff Mw vy or Mw 

- Mwe Biv iff M,v — y Vu such that (w, v) €B; 

- Mw& By» iff dv s.t. (w, v) €B; and M,vS y 


1 
0 


The most important similarities between our approach and Thijsse’s are: 


— nagents and n explicit accessibility relations are considered. 

However, as in Levesque’s case, there are no restrictions on these relations, and the 
intuitive meaning of our accessibility relations is slightly different. 

— Two relations (of satisfiability and unsatisfiability) are defined. Moreover, a similar 
clause is used to provide a meaning to the unsatisfiability relation with respect to 
the belief operator. 

As before, the main difference is that we provide two relations for each agent. 
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— There are no tautologies in Thijsse’s system; therefore, he does not have to care 
about some forms of logical omniscience (closure under valid implication and be- 
lief of valid formulae). 

— Closure under material implication and closure under conjunction do not hold in 
Thijsse’s approach either. 


The main difference with Thijsse’s proposal is that he uses partial assignments of 
truth values over basic propositions for each state; thus, a proposition may be true, false 
or undefined in each state. We deal with formulae, not with basic propositions, and 
each formula may be supported and/or rejected by each agent in each state. Therefore, 
Thijsse’s approach is three-valued, whereas ours is more of a four-valued kind, such as 
Levesque’s. 


6 Summary 


In this paper it has been argued that each agent perceives its actual situation in a parttic- 
ular way, which may be different from that of other agents located in the same situation. 
The vision that an agent has of a situation determines its (positive and negative) beliefs 
in that situation. This intuitive idea has been formalized with the notion of subjective 
situations. These entities are the base of a doxastic logic, in which the meaning of the 
belief operators seems to fit with the general intuitions about how the doxastic attitude 
of a non-ideal agent should behave. In particular, logical omniscience is avoided while 
some interesting introspective properties are maintained. A detailed comparison of this 
approach with Levesque’s logic of implicit and explicit beliefs ([6]) and Thijsse’s hy- 
brid sieve systems ([7]) has also been provided. 
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Abstract. We present a formalism for reasoning about the information 
properties of multi-agent systems. Multi-agent VSK logic allows us to 
represent what is objectively true of some environment, what is visible, 
or accessible of the environment to individual agents, what these agents 
actually perceive, and finally, what the agents actually know about the 
environment. The semantics of the logic are given in terms of a general 
model of multi-agent systems, closely related to the interpreted systems 
of epistemic logic. After introducing the logic and establishing its rela- 
tionship to the formal model of multi-agent systems, we systematically 
investigate a number of possible interaction axioms, and characterise 
these axioms in terms of the properties of agents that they correspond 
to. Finally, we illustrate the use of the logic through a case study, and 
discuss issues for future work. 


1 Introduction 


Consider the following scenario: 


A number of autonomous mobile robots are working in a factory, col- 
lecting and moving various goods around. All robots are equipped with 
sonars, which enable them to detect obstacles. To ensure that potentially 
costly collisions are avoided, a number of crash-avoidance techniques are 
used. First, all robots adhere to a convention that, if they detect a poten- 
tial collision, they must take evasive action either when they detect that 
other agents have right of way or when they know that regardless of the 
convention of the right of way this is the only way to avoid a collision. 
Second, a “supervisor” agent C' is installed in the factory, which moni- 
tors all data feeds from sonars. In the event of an impending collision, 
this agent is able to step in and override the control systems of indi- 
vidual agents. At some time, two robots, A and B, are moving towards 
each other in a narrow corridor; robot A has the right of way. Robot B’s 
sonar is faulty, and as a result, B fails to notice the potential collision 
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and does not give way to robot A. Robot A, using its sonar, detects the 
presence of robot B. Robot A recognises that B has not taken evasive 
action when it should have done, and reasons that B must be faulty; 
as a consequence, it takes additional evasive action. Meanwhile, the su- 
pervisor agent C’, observing the scenario, also deduces that B must be 
faulty, and as a consequence shuts B down. 


The aim of this scenario is not to suggest an architecture for multi-agent robotics, 
but to illustrate the utility of reasoning about the information that agents can 
and do perceive, their knowledge about their environment, and the actions that 
they perform. We argue that the ability to perform such reasoning will be of 
great value if autonomous agents are to be successfully deployed. 


In this paper, we develop a formalism that will allow us to represent and 
reason about such aspects of multi-agent systems. We present multi-agent VSK 
logic, a multi-agent extension of VSK logic [9]. This logic allows us to represent 
what is objectively true of an environment, what is visible, or knowable about 
the environment to individual agents within it, what agents perceive of their 
environment, and finally, what agents actually know about their environment. 
Syntactically, VSK logic is a propositional multi-modal logic, containing three 
sets of indexed unary modal operators “V;”, “S;”, and “K;”, one for each agent 
i. A formula V;pg means that the information y is accessible to agent i; S;yp 
means that agent 7 perceives information y; and K;y means that agent 7 knows 
yp. 

An important feature of multi-agent VSK logic is that its semantics are given 
with respect to a general model of agents and their environments. We are able 
to characterise possible axioms of multi-agent VSK logic with respect to this 
semantic model. Consider, for example, the VSK formula Vip > S;Viy, which 
says that if information y is accessible to agent 7, then agent j sees (perceives) 
that y is accessible to 7. Intuitively, this formula says that agent 7 is able to see at 
least as much as agent 7; we are able to show this formally by proving correspon- 
dence results with respect to a semantic description of agents and environments, 
as well as the Kripke frames they generate. 


The remainder of this paper is structured as follows. We begin in section 2 
by introducing the semantic framework that underpins multi-agent VSK logic. 
We then formally introduce the syntax and semantics of VSK logic in section 3, 
and in particular, we show how the semantics of the logic relate to the formal 
model of multi-agent systems introduced in section 2. In section 4, we discuss and 
formally characterise various interaction axioms of VSK logic. In section 5, we 
return to the case study presented above, and show how we can use multi-agent 
VSK logic to capture and reason about 


Finally, in section 6, we present some conclusions. 
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2 A Semantic Framework 


In this section, we present a semantic model of agents and the environments 
they occupy. This model plays the role in VSK logic that interpreted systems 
play in epistemic logic [2, pp103-107]. 

A multi-agent VSK system is assumed to be comprised of a collection Ag1, 
..., Agn of agents, together with an environment. We formally define environ- 
ments below, but for the moment, it is assumed that an environment can be 
in any of a set E of instantaneous states. We adopt a quite general model of 
agents, which makes only a minimal commitment to an agent’s internal archi- 
tecture. One important assumption we do make is that agents have an internal 
state, although we make no assumptions with respect to the actual structure of 
this state. Agents are assumed to be composed of three functional components: 
some sensor apparatus, an action selection function, and a next-state function. 

Formally, an agent Ag; is a tuple Ag; = (Lj, Act;, see;, do;,7;,1;), where: 


— L, = {l},l?,...} is a set of instantaneous local states for agent i. 

— Act; = {aj,a?,...} is a set of actions for agent i. 

— see; : 2" — Perc; is the perception function for agent i, mapping sets of 
environment states (visibility sets) to percepts for agent 7. 


Elements of the set Perc; will be denoted by p},p7,... and so on. If see; is 
an injection into Perc; then we say that see; is perfect, otherwise we say it 
is lossy. 


— do; : L; — Act; is the action selection function for agent i, mapping local 
states to actions available to agent 7. 

— 7: LD; x Perc; — L; is the state transformer function for agent 7. 
We say 7; is complete if for any 


j= (e, 71(h, p1), ene Talat On) 


and 
(e’, 71(k, pi): mee ta SPae)) 


g 
we have that 
Ti(k, oi) =7i(G,0;) implies p; = p;. 


We say 7; is local if for any 


g = (e,71(h, p1),-+-5Tnr(lns Pn)) 
and 
g = (e', 71 (Ls 01), -+-s Tr(a Pn)) 
we have that 
Ti(li, pi) = THC]; pi). 
We say that an agent has perfect recall if the function 7; is an injection. 
— 1, € Lis the initial state for agent 2. 
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Perfect perception functions distinguish between all visibility sets; lossy percep- 
tion functions are so called because they can map different visibility sets to the 
same percept, thereby losing information. We say that an agent has perfect re- 
call of its history if it changes its local state at every tick of the clock (cf. [2, 
pp128-131)). 

Following [2], we use the term “environment” to denote all the components 
of a system external to the agents that occupy it. Sometimes, environments can 
be represented as just another agent of the system; more often they serve a 
special purpose, as they can be used to model communication architectures, etc. 
We model an environment as a tuple containing a set of possible instantaneous 
states, a visibility function for each agent, which characterises the information 
available to an agent in every environment state, a state transformer function, 
which characterises the effects that an agent’s actions have on the environment, 
and, finally, an inztzal state. 

Formally, an environment Fnv is a tuple 


Env = (E, vis1,..., Vi8n, Te, €0) 
where: 


— E={e, e,...} is a set of instantaneous local states for the environment. 

— vis; : E — 2” is the visibility function of agent i. It is assumed that vis; 
partitions F into mutually disjoint sets and that e € vis;(e), for any e € E. 
Elements of the codomain of the function vis are called visibility sets. We 
say that vis; is transparent if for any e € E we have that vis;(e) = {e}. 

—T.: Ex Act, x +++ X Act, — 2” is a total state transformer function for 
the environment (cf. [2, p154]), which maps environment states and tuples 
of actions, one for each agent, to the set of environment states that could 
result from the performance of these actions in this state. 

— ep € E is the initial state of Env. 


Modelling an environment in terms of a set of states and a state transformer 
is quite conventional (see, e.g., [2]). The use of the visibility function, however, 
requires some explanation. Before we do this, let us define the concept of global 
state. The global states G = {g,9',...} of a VSK system are a subset of FE x 
[y X+++X In. 

The visibility function defines what is in principle knowable about a VSK 
system; the idea is similar to the notion of “partial observability” in POMDPs [6]. 
Intuitively, not all the information in an environment state is in general acces- 
sible to an agent. So, in a global state g = (e,h,...,ln), visi(e) = {e, e’, e”} 
represents the fact that the environment states e, e’, e’’ are indistinguishable to 
agent 7 from e. This is so regardless of agent 2’s efforts in performing the obser- 
vation — it represents the maximum amount of information that is in principle 
available to i when observing state e. The concept of transparency, as defined 
above, captures “perfect” scenarios, in which all the information in a state is 
accessible to an agent. Note that visibility functions are not intended to capture 
the everyday notion of visibility as in “object x is visible to the agent”. 
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A multi-agent VSK system is a structure S = (Env, Ag,...,Agn), where 
Env is an environment, and Ag),..., Agn, are agents. The class of VSK systems 
is denoted by S. 

Although the logics we discuss in this paper may be used to refer to static 
properties of knowledge, visibility, and perception, the semantic model natu- 
rally allows us to account for the temporal evolution of a VSK system. The 
behaviour of a VSK system can be summarised as follows. Each agent 7 starts 
in state 1;, the environment starts in state eg. At this point every agent 7 “syn- 
chronises” with the environment by performing an initial observation through 
the visibility function vis;, and generates a percept p? = see;(vis;(e9)). The 
internal state of the agent is then updated, and becomes 7;(1;, 2). The synchro- 
nisation phase is now over and the system starts its run from the initial state 
go = (€0, T1 (11, p?),---,T7n(In; p9.)). An action a? = do(r;(1;, p2)) is selected and 
performed by each agent 7 on the environment, whose state is updated into 


€1 = Te(eo,a9,...,a°). Each agent enters another cycle, and so on. 

A run of a system is thus a (possibly infinite) sequence of global states. A 
sequence (go, 91, 92,---) over G represents a run of a system (Env, Agi,..-, Agn) 
iff 

— go = (€0, T1(l1, see1 (visi(€o))),---, Tr(In, Seen (ViSn(eo)))), and 


— for all u, if gu = (e,4,..-,tn) and gu4i = (e’,,..., 1) then: 


e! © Te(€u,Q1,---;An) and 
Ui = 7;(l;, see;(vis;(e’))) 


where a; = do;(l;). 


Given a multi-agent VSK system S$ = (Env, Agi,...,Agn), we say Gg CG 
is the set of global states generated by S if g € Gg occurs in a run of S. 


3 Multi-agent VSK Logic 


We now introduce a language £, which will enable us to represent the information 
properties of multi-agent VSK systems. In particular, it will allow us to represent 
first what is true of the VSK system, then what is visible, or knowable of the 
system to the agents within it, then what these agents perceive of the system, and 
finally, what each agent knows of the system. £ is a propositional multi-modal 
language, containing three sets of indexed unary modal operators, for visibility, 
perception, and knowledge respectively. Given a set P of propositional atoms, 
the language £ of VSK logic is defined by the following BNF grammar: 


(ag) 2=1 |---| 
(wff) ::= true | any element of P | (wff) | (wff) A (wff) 
| Vragy (wff) | S(agy (wf) | K cag) (wff) 


The modal operator “V;” will allow us to represent the information that is 
instantaneously visible or knowable about the state of the system to agent 7. Thus 
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suppose the formula V;y is true in some state g € G. The intended interpretation 
of this formula is that the property y is accessible to agent i when the system 
is in state g. This means that not only vy is true of the environment, but agent 
i, if it was equipped with suitable sensor apparatus, would be able to perceive 
y. If =V;y were true in some state, then no matter how good agent 7’s sensor 
apparatus was, it would be unable to perceive y. 

The fact that something is visible to an agent does not mean that the agent 
actually sees it. What an agent does see is determined by its sensors. The modal 
operator “S;” will be used to represent the information that agent i “sees”. The 
idea is as follows. Suppose agent i’s sensory apparatus (represented by the see; 
function in our semantic model) is a video camera, and so the percepts being 
received by agent 7 take the form of a video feed. Then S;y means that an 
impartial observer would say that the video feed currently being supplied by 
a’s video camera carried the information y — in other words, ¢ is true in all 
situations where 7 received the same video feed. 

Finally, we can represent the knowledge possessed by agents within a system. 
We represent agent i’s knowledge by means of a modal operator “K,”. In line 
with the tradition that started with Hintikka [4], we write K,y to represent the 
fact that agent 7 has knowledge of the formula represented by y. Our model of 
knowledge is that popularised by Halpern and colleagues [2]: agent 7 is said to 
know y when in local state | if y is guaranteed to be true whenever 7 is in state 
1. As with visibility and perception, knowledge is an external notion — an agent 
is said to know y if an impartial, omniscient observer would say that the agent’s 
state carried the information y. 

We now proceed to interpret our formal language. We do so with respect to 
the equivalence Kripke frames generated (see [2]) by VSK systems. Given a VSK 
system S$ = (Env, Ag,..., Agn), the Kripke frame 


Fy = (W, 04,08, 08,2. 8, wR) 
generated by S is defined as follows: 


— W=Gez (recall that Gg is the set of global states reachable by system S$), 
— For every i=1,...,n, the relation ~’C WxW is defined by: (e,h,...,In) ~% 


(e’,,..., U1) if e’ € vis;(e), 
— For every i=1,...,n, the relation ~?C WxW is defined by: (e,4,...,In) ~8 
(e’,U,..., U1) if see;(vis;(e)) = see;(vis;(e’)), 


— For every i=1,...,n, the relation ~*C WxW is defined by: (e, h,..-, In) ~* 


(e',,...,14) if =U. 


The class of frames generated by a VSK system S will be denoted by Fs. As 
might be expected, all frames generated by systems in S are equivalence frames. 


Lemma 1. Every frame F € Fg is an equivalence frame, i.e., all the relations 
in F are equivalence relations. 


We have now built a bridge between VSK systems and Kripke frames. In what 
follows, we assume the standard definitions of satisfaction and validity for Kripke 
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Axiom  VSKClass 
Vig => none (valid in all systems) 
yp => Viv vis; 1s transparent 

Sip => Viv none (valid in all systems) 
Viv => Sip see; is perfect 

Kip => Siv 7; has perfect recall 
Sip > Kiyv 7; is local 


Table 1. Single-agent interaction axioms in VSK logic. 


frames and Kripke models — we refer the reader to [5,3] for a detailed exposition 
of the subject. Following [2] and [7], we define the concepts of truth and validity 
on Kripke models that are generated by VSK systems. 

Given an interpretation 7: W — 2?, we say that a formula » € CL is 
satisfied at a point g € G ona VSK system S if the model Mg = (Fg, 7) built 
on the generated frame F's by use of 7 is such that Ms -, y. The propositional 
connectives are assumed to be interpreted as usual, and the modal operators V;, 
S;, and K; are assumed to be interpreted in the standard way (see for example 
[5]) by means of the equivalence relations ~¥, ~2, and ~* respectively. 

We are especially interested in the properties of a VSK system as a whole. 
The notion of validity is appropriate for this analysis. A formula y € CL is valid 
on a class S of VSK systems if for any system S € S, we have that Fs — y. 


4 Interaction Axioms in Multi-agent VSK Logic 


In this section we will study some basic interaction axioms that can be specified 
within VSK logic. Interaction axioms are formulas in which different modalities 
are present; they specify a form of “binding” between the attitudes corresponding 
to the modal operators. 

Note that, in previous work, we have studied and given semantic character- 
isations for single-agent interaction axioms (i.e., axioms in a VSK logic where 
there is only one VY operator, only one S operator, and only one K operator) [9]. 
For example, we were able to show that the axiom schema Vy = Sw charac- 
terised a particular property of an agent’s perception function: namely, that it 
was perfect, in the sense that we defined in section 2. We summarise these results 
in table 1. 

In this paper we analyse some multi-agent interaction axioms. The most 
obvious form that these interaction axioms may have is the following: 


ie Fp where i € {Si, Vi, Ki}, 5 € {Sj, Vj, Kj }- (1) 


If we assume i 4 j (the case 1 = j was dealt with in [9]), Axiom (1) generates 
nine possible interaction axioms in total, as summarised in table 2. The second 
column of table 1 gives the conditions on Kripke models that correspond (in the 
sense of [1]) to the axiom. The third column gives the first-order condition on 
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‘Axion Kripke VSK | 
Condition Condition 

Vip =Vip ~fCor7 vis;(e) C vis;(e) 

Vip => Sip ~jC~7  suj(e) = suj(e’) > vis;(e) = visi(e’) 

Vip > Kjp ~FCny i, =U = visi(e) = visi(e’) 

Sip SVvjp ~7Cr?  vis;(e) = vis;(e’) > su;(e) = svi(e’) 

Sip > Sip ~jFCr} — su;(e) = suj(e’) > suj(e) = sui(e’) 

Sip > Kjp ~fCn3 b =; — suj(e) = svi(e’) 

Kips Vip n¥Cnt vis;(e) = vis;)(e’) =k =U 

Kip > Sip joni suj(e) = su(e’) k=] 

Mp iG GEN _ EES eh = 


Table 2. Some multi-agent interaction axioms in multi-agent VSK logic. Note 
that in the table the function sv; : EH — Perc; stands for see; o vis;. 


VSK systems that corresponds to the interaction axioms. (Note that in these 
conditions each variable is assumed to be universally quantified: for example, 
the third axiom Vig => Kjy corresponds to systems S in which for all g = 
(e,h,...,dn) and g’ = (e’,l,...,,), we have that J; = U; implies vis;(e) = 
vis;(e’).) 

We begin our analysis with the schema which says that if y is visible to 2, 
then ¢ is visible to j. 


Vip > Vie (2) 
This axiom says that everything visible to 7 is also visible to 7. Note that the 
first-order condition corresponding to Axiom 2 implies that at least as much 
information is accessible to agent 7 as agent 2. 

Vip = Sip (3) 
Axiom (3) says that j sees everything visible to i. It is easy to see that in 
systems that validate this schema, since j sees everything 7 sees, it must be that 
everything visible to 7 is also visible to 7. In other words, VSK systems that 
validate Axiom (3) will also validate (2). 

Vip + Kg (4) 


Axiom (4) says that everything visible to i is known to 7. 


Sip > Vip (5) 


Axiom (5) says that everything i sees is visible to j. Intuitively, this means that 
the percepts 7 receives are part of the environment that is visible to 7. 


Sip > Sip (6) 
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Axiom (6) says that 7 sees everything i sees. Since we know from [9] that any 
system S validates the axiom S;y => V;y, it follows that any VSK system 
validating Axiom (6) will also validate Axiom (5). Note that from table 2, it 
follows that 

|see,(vis;(E))| < |sees( vis; (E))| 


So, since agent 7 has more perception states at its disposal than agent 7, it has 
a finer grain of perception. 


Sip => Kip (7) 


Axiom (7) says that if ¢ sees y then j knows y; in other words, 7 knows everything 
that 7 sees. 


Kip => Vip (8) 


Axiom (8) says that if ¢ knows y, then y is visible to j. Intuitively, this means 


that i’s local state is visible to 7. Axiom (8) thus says that entity 7 has “read 
access” to the state of another entity 2. 
Kip = Sip (9) 


Axiom (9) captures a more general case than that of (8), where entity 7 not only 
has read access to the state of 7, but that it actually does read this state. Note 
that any system that validates (9) will also validate (8). 


Kip => Kye (10) 


This final schema says that 7 knows everything that 7 knows. Note that from 
the corresponding condition on VSK systems in table 2, it follows that 


|Z; | < [Le 


So, since agent 7 has more local states, it has a finer grain of knowledge than 
agent j. If we also have the converse of (10), then we would have Kip = Kj 
as valid; an obvious interpretation of this schema would be that 7 and 7 had the 
same state. 

All these considerations lead us to the following: 


Theorem 1. For any ariom w of table 2 and any VSK system S we have that 
the following are equivalent: 


1. The system S validates wv, 1.e., S Ev; 
2. The generated frame Fg satisfies the corresponding Kripke condition Ry; 


3. The system S satisfies the corresponding VSK condition Sy. 
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Axiom Kripke VSK 
Condition Condition 
Vip sViVig ~fow7e vts;(e) C visi(e) 


Vie => S)Viv jou} 
Vie > KyVip RCA 


¥  su;(e) = su;(e’) — vis;(e) = vis;(e’) 
. l l 

Sip SVjiSip ~FC~}  visj(e) = vis;(e’) > sui(e) = sui(e’) 
k 


I) —+ visi(e) = visi(e’) 


Sip > SJSip ~FOr} — sv;(e) = suj(e’) > sui(e) = sui(e’) 
Sip > Kj Sip ~F CXF i(e) = sui(e’) 
Kip > V;Kig ~F on; ) j 

Kip > SKip ~{Cnt suj(e) = sui(e’) = i =H 
Kips KjKip ~7Cot l 


Table 3. Other interaction axioms in multi-agent VSK logic. 


Proof (Outline.). Given any axiom w in table 2, it is a known result that Fs - w 
if and only if Fs has the Kripke property Ry shown in table 2 (see [7] for details). 
But since validity on a VSK system S is defined in terms of the generated frame 
Fg, the equivalence between items 1 and 2 follows. 

For each line of the table, the equivalence between 2 and 8 can be established 
by re-writing the relational properties on Kripke frames in terms of the VSK 
conditions on VSK systems. 


Other Interaction Axioms Before we leave our study of VSK interaction 
axioms, it is worth noting that there are many other possible interaction axioms 
of interest [7]. The most important of these have the following general form. 


ie F iv where ; € 183; Vix Ket, F € {53, Vj, Ky}, 4 Fj. (11) 


It is easy to see that schema (11) generates nine possible interaction axioms. We 
can prove the following general result about such interaction axioms. 


Lemma 2. For any system S, we have that the generated frame F's satisfies the 
following property. 


Fs = ip F ip if and only if cee 


where OF € {Si,Vi,Ki},07 © {S),V;,Kj} and ~°" (respectively wo) is the 


equivalence relation corresponding to the modal operator O} (respectively ah 


Proof. Follows from the results presented in [7, Lemma A.11]. 


Thanks to the above result we can prove that the classes of VSK systems anal- 
ysed above are also characterised by the axioms discussed in this section. Indeed 
we have the following. 
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Corollary 1. For any axiom w of table 3 and any VSK system S we have that 
the following are equivalent: 


1. The system S validates wv, t.e., S Ev; 
2. The generated frame Fs satisfies the corresponding Kripke condition Ry; 
3. The system S' satisfies the corresponding VSK condition Sy. 


Proof. Follows from Lemma 2 and Theorem 1. 


5 <A Case Study 


In order to illustrate the use of multi-agent VSK logic, we consider again the 
scenario presented in section 1. While the scenario can be equally explored by 
means of VSK semantics, here we focus on the axiomatic side of the formalism. 

As discussed in section 1, we have three robotic agents A,B,C involved in 
a coordination problem in a navigation scenario. We suppose the autonomous 
robots A, B to be equipped with sonars that can perfectly perceive the envi- 
ronment, up to a certain distance of, say, 1 metre; so their visibiliy function is 
not transparent (see Table 1). We further admit that within 1 metre of distance 
of the object the pairing sonar/environment is perfect; hence within this dis- 
tance the environment is fully visible. For the ease with which we assume it is 
possible to process signals from sensors, we further assume that if the sensors 
are adequately working, then the agents have perfect perception, i.e. they are 
semantically described by a perfect see function as in Table 1. We also assume 
that agents know everything they see, i.e. that their 7 function is local. 

Further assume that the robots A, B follow the following rule: if they know 
that there is a moving object apparently about to collide with them, then they 
must take evasive action either when this is the only way to avoid a collision, or 
in case the object is another robot, when this has right of way. This rules are 
commonly known, or at least that they hold however nested in a number of 
operators. The superuser has access to the sensors of all the agents (it therefore 
sees what the agents see and knows what is visible to the agents — see previous 
section) plus some fixed sensors in the environment they inhabit. Hence we model 
agent C' by supposing that it has perfect perception of the environment, that 
the environment is completely visible to it and that all its perceptions are known 
by it. 

We can now tailor the specification above to the scenario currently in analysis. 
We have that agents A, B are in a collision course with A having right of way, 
that this is visible both to agent B and to agent A, except that while agent A 
does see this, agent B does not. Formally: 


- coll A Vacoll A Vgcoll \ ~Sgcoll A r-o-wa. 


Given the assumptions on the agents presented above, it is possible to show 
that it follows that agent A will take evasive action and that agent B will be 
shut down by the controller agent C. A proof of this is as follows: 
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1. Vpcoll A =Sgcoll A Vacoll A r-o-wa Given] 
2. Vo(Vgcoll A =Sp coll) > Sc(VgcollA 

aSp coll) > Ke(Vgcoll A Sz coll) Perfect Perception] 
3. Ke(Vecoll A =Sgcoll) => shutdowng Given] 
4. (Vgcoll A 7Sg coll) > Ke(Vegcoll \ =Sgcoll) [Given] 
5. shutdowng 1,3,4 + Taut] 
6. K,((>ev-actg A r-0-wa) => 7K gcoll) Given + Taut] 
7. nev-actg => S4n7ev-actp > K 47 ev-actp Perfect Perception] 
8. Kank gcoll 6, 7, K] 
9. Ka(coll \A7K gcoll) => ev-act, Given] 
10. Vacoll > S,coll > Kacoll Perfect Perception] 
11. Kar-o-w, 1, Perfect Perception] 
12. ev-act, 1, 8, 9, 10, 11, K] 


6 Conclusions 


In order to design or understand the behaviour of many multi-agent systems, it 
is necessary to reason about the information properties of the system — what 
information the agents within it have access to, what they actually perceive, and 
what they know. In this paper, we have presented a logic for reasoning about 
such properties, demonstrated the relationship of this logic to an abstract general 
model of multi-agent systems, and investigated various interaction axioms of the 
logic. Many issues suggest themselves as candidates for future work: chief among 
them is completeness. In [8], we proved completeness for a mono-modal fragment 
of VSK logic. In particular, we proved completeness not simply with respect to 
an abstract class of Kripke frames, but with respect to the class of Kripke frames 
corresponding to our model of agents and environments. It is reasonable to expect 
the proof to transfer to multi-agent settings. However, when interaction axioms 
of the form studied in section 4 are present, matters naturally become more 
complicated, and an analysis for each different system is required. This is future 
work, as are such issues as temporal extensions to the logic, and complexity 
results. 
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Abstract. We present new tractable cases for default reasoning from conditional 
knowledge bases. In detail, we introduce q-Horn conditional knowledge bases, 
which allow for a limited use of disjunction. We show that previous tractability re- 
sults for c-entailment, proper ¢-entailment, and z- and z*-entailment in the Horn 
case can be extended to the q-Horn case. Moreover, we present feedback-free- 
Horn conditional knowledge bases, which constitute a new, meaningful class of 
conditional knowledge bases. We show that the maximum entropy approach and 
lexicographic entailment are tractable in the feedback-free-Horn case. Our results 
complement and extend previous results, and contribute in refining the tractabil- 
ity/intractability frontier of default reasoning from conditional knowledge bases. 


1 Introduction 


A conditional knowledge base consists of a collection of strict statements in classical 
logic and a collection of defeasible rules (also called defaults). The former are state- 
ments that must always hold, while the latter are rules ¢ — w that read as “generally, 
if @ then ~.” For example, the knowledge “penguins are birds” and “penguins do not 
fly” can be represented by strict sentences, while the knowledge “birds fly” should be 
expressed by a defeasible rule (since penguins are birds that do not fly). 

The semantics of a conditional knowledge base KB is given by the set of all de- 
faults that are plausible consequences of KB. The literature contains several different 
proposals for plausible consequence relations and extensive work on their desired prop- 
erties. The core of these properties are the rationality postulates proposed by Kraus, 
Lehmann, and Magidor [17], which constitute a sound and complete axiom system 
for several classical model-theoretic entailment relations under uncertainty measures 
on worlds. More precisely, they characterize classical model-theoretic entailment under 
preferential structures, infinitesimal probabilities, possibility measures, and world rank- 
ings. Moreover, they characterize an entailment relation based on conditional objects. 
A survey of all these relationships is given in [4]. We will use the notion of ¢-entailment 
to refer to these equivalent entailment relations. 

Mainly to solve problems with irrelevant information, the notion of rational closure 
as a more adventurous notion of entailment has been introduced by Lehmann [20]. It 
is equivalent to entailment in system Z by Pearl [22] (which is generalized to variable 
strength defaults in system Z* by Goldszmidt and Pearl [15,16]), to the least specific 
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possibility entailment by Benferhat et al. [4], and to a conditional (modal) logic-based 
entailment by Lamarre [18]. Finally, mainly to solve problems with property inheritance 
from classes to exceptional subclasses, the maximum entropy approach was proposed 
by Goldszmidt et al. [13] (and recently generalized to variable strength defaults by 
Bourne and Parsons [7]); lexicographic entailment was introduced by Lehmann [19] 
and Benferhat et al. [3]; and conditional entailment was proposed by Geffner [11,12]. 


However, while the semantic aspects of these formalisms are quite well understood, 
about their computational properties only partial results have been known so far. In 
previous work [9], we were filling some of these gaps by drawing a precise picture of 
the complexity of major formalisms for default reasoning from conditional knowledge 
bases. The main goal of this paper now is to complement this work by finding meaning- 
ful cases in which default reasoning from conditional knowledge bases is tractable. In 
particular, we aim at identifying nontrivial restrictions that can be checked efficiently 
and that guarantee sufficient expressiveness. 


The main contributions of this paper can be summarized as follows: 


We introduce q-Horn conditional knowledge bases, which enrich in the spirit of [5] 
Horn conditional knowledge bases by allowing limited use of disjunction in both 
strict statements and defeasible rules. For example, a default saturday — hikingV 
shopping, which informally expresses that on Saturday, someone is normally out 
for hiking or shopping, can be expressed in a q-Horn KB, but not in a Horn KB. 


We show that previous tractability results for ¢-entailment [20,16], proper ¢-entail- 
ment [14], and z- and z*+-entailment [16] in the Horn case can be extended to the 
q-Horn case. Thus, in all these approaches, tractability is retained under a limited 
use of disjunction. 


e We present feedback-free-Horn conditional knowledge bases, which restrict the 
literal-Horn case (where default rules are Horn-like) by requesting that, roughly 
speaking, default consequents do not fire back into the classical knowledge of KB 
and that the defaults can be grouped into non-interfering clusters of bounded size. 
We give some examples from the literature that underline the importance of the 
feedback-free-Horn case. In particular, we show that taxonomic hierarchies that are 
augmented by default knowledge can be expressed in the feedback-free-Horn case. 


We show that in the feedback-free-Horn case, default reasoning under z*-entail- 
ment [13], z3-entailment [7], lex-entailment [3], and lex,-entailment [19] is tract- 
able. To our knowledge, no or only limited tractable cases [8] for these notions of 
entailment from conditional knowledge bases have been identified so far. 


Our tractability results for the feedback-free-Horn case are complemented by our 
proof that without a similar restriction on literal-Horn defaults, all the respective 
semantics remain intractable. In particular, this applies to the 1-literal-Horn case, 
in which each default is literal-Horn and has at most one atom in its antecedent, 
and the strict knowledge consists of Horn-clauses having at most two literals. 


Note that detailed proofs of all results in this extended abstract are given in [10]. 
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2 Preliminaries 


2.1 Conditional Knowledge Bases 


We assume a set of propositional atoms At = {p1,...,pn} with n > 1. We use L and 
T to denote the propositional constants false and true, respectively. The set of classical 
formulas is the closure of At U {L, T} under the Boolean operations — and A. We 
use (pb => w) and (¢ V 7) to abbreviate =(@ A aw) and =(4¢ A 7W), respectively, and 
adopt the usual conventions to eliminate parentheses. A literal is an atom p€ At or 
its negation —p. A Horn clause is a classical formula ¢ => w, where ¢ is either T ora 
conjunction of atoms, and w is either | or an atom. A definite Horn clause is a Horn 
clause 6 => W, where w is an atom. 

A conditional rule (or default) is an expression ¢ — w, where ¢ and w are classical 
formulas. A conditional knowledge base is a pair KB = (L, D), where L is a finite set 
of classical formulas and D is a finite set of defaults. Informally, L contains facts and 
rules that are certain, while D contains defeasible rules. In case L = 0, we call KB a 
default knowledge base. A default ¢ — w is Horn (resp., literal-Horn), if ¢ is either T 
or a conjunction of atoms, and w is a conjunction of Horn clauses (resp., ~ is a literal). 
A definite literal-Horn default is a literal-Horn default ¢ — w, where w is an atom. 

Given a conditional knowledge base KB = (L, D), a strength assignment o on KB 
is a mapping that assigns each d € D an integer a(d) > 0. A priority assignment on KB 
is a strength assignment 7 on KB with {7(d) |d€ D} = {0,1,...,&} for some k > 0. 

An interpretation (or world) is a truth assignment I: At — {true, false}, which is 
extended to classical formulas as usual. We use Z 4; to denote the set of all worlds for 
At. The world I satisfies a classical formula ¢, or I is a model of ¢, denoted I — 4, 
iff [(¢@) = true. I satisfies a default 6 — w, or I is a model of ¢ — w, denoted 
ITE @- 74, iff! — 6 => wv. I satisfies a set K of classical formulas and defaults, 
or I is a model of K, denoted J — K, iff I satisfies every member of ’. The world [ 
verifies a default 6 — wW iff l = Od Aw. I falsifies a default 6 — w, iff 1 HE dA ww 
(that is, J - ¢ — w). A set of defaults D tolerates a default d under a set of classical 
formulas L iff D U DL has a model that verifies d. A set of defaults D is under L in 
conflict with a default ¢ — w iff all models of DU L U {9} satisfy sw. 

A world ranking & is a mapping &: Z4, — {0,1,...}U {oo} such that K(J) = 0 
for at least one world J. It is extended to all classical formulas ¢ as follows. If @ is 
satisfiable, then «(@) = min {K(I) | I € Zaz, I & o}; otherwise, «(¢) = 00. A world 
ranking « is admissible with a conditional knowledge base (L, D) iff «(=@) = oo for 
all d € L, and K(¢) < co and K(@AW) < K(d A 7) for all defaults 6 > w € D. 
A default ranking o on D maps each d € D to a nonnegative integer. 


2.2 Semantics for Conditional Knowledge Bases 


eé-Semantics (Adams [1] and Pearl [21]). We describe the notions of ¢-consistency, 
€-entailment, and proper ¢-entailment in terms of world rankings. 

A conditional knowledge base KB is €-consistent iff there exists a world ranking 
that is admissible with KB. It is ¢-inconsistent iff no such a world ranking exists. 
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A conditional knowledge base KB ¢-entails a default ¢ > w iff either «(¢) = co 
or k(b A W) < &(b A 7) for all world rankings « admissible with KB. Moreover, KB 
properly €-entails ¢ — w iff KB e-entails ¢ — w and KB does not e-entail 6 — L. 

The next theorem is a simple generalization of a result by Adams [1]. 

Theorem 2.1 (essentially [1]). A conditional knowledge base (L, D) e-entails a de- 
fault ¢ — wv iff the conditional knowledge base (L, DU {¢@ — 7W}) is €-inconsistent. 


Systems Z and Z+ (Pearl [22] and Goldszmidt and Pearl [15,16]). Entailment 
in system Z* applies to €-consistent conditional knowledge bases KB = (L, D) with 
strength assignment o on KB. It is linked to a default ranking z+ and a world ranking 
«&*, which are the unique solution of the following system of equations: 


zt (d) =a(d) + K*(¢A¥) (foralld=¢—-WeED) (1) 
oo iff KL 
Kt (I) = <0 iff LUD (for all I € Lat) (2) 
1 max z*(d) otherwise 
de€D: Ifkd 


A default 6 w is zt-entailed by (KB,o) at strength 7 iff either «*(¢) = co or 
KI(PAD) +7 <KT(PA 7). 

Entailment in system Z is a special case of entailment in system Z*. It applies to 
€-consistent conditional knowledge bases KB. A default ¢ — w is z-entailed by KB iff 
o— ~ is zt-entailed by (KB, c) at strength 0, where o(d) = 0 for all d € D. 


Maximum Entropy (Goldszmidt et al. [13] and Bourne and Parsons [7]). The no- 
tion of zx-entailment applies to <-consistent conditional knowledge bases KB = (L, D) 
with positive strength assignment o. It is defined whenever the following system of 


equations (3) and (4) has a unique solution z%, «? with positive zz: 


Ks ($A ay) = o(¢ > ) + Ks (OA d) (foralld=¢—-peD) (3) 
00 if EL 
Kx(I) = 49 iff ->LUD (for all I € Lat) (4) 
z3(d) otherwise 
d€D: Iiéd 


The uniqueness of z and « is guaranteed by assuming that K% is robust [7], which is 
the following property: for all distinct defaults d;, dz € D, it holds that all models J; 
and I> of L having smallest ranks in «% such that I; A dy and Iz F de, respectively, are 
different. That is, d; and dz do not have a common minimal falsifying model under L. 
We say KB is robust iff the system of equations given by (3) and (4) has a unique 
solution z%, &} such that z} is positive and «Kj is robust. A default ¢ — w is z3-entailed 
by (KB, o) at strength 7 iff either K3(¢) = c0 or RA(PAW) +7 < Ke(PA AY). 

The notion of z*-entailment is a special case of z-entailment. It applies to ¢- 
consistent minimal-core conditional knowledge bases KB =(L,D) without strength 
assignment, where KB is minimal-core iff for each default d € D there exists a model I 
of LU(D — {d}) that falsifies d. A default ¢ — w is z*-entailed by KB iff ¢— w is 
zz-entailed by (KB, oc) at strength 1, where o(d) = 1 forall d € D. 
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Lexicographic Entailment (Lehmann [19] and Benferhat et al. [3]). Lexicographic 
entailment in [3] applies to conditional knowledge bases KB = (L, D) with a pri- 
ority assignment 7 on KB, which defines an ordered partition (Do,... , Dx) of D 
by D; = {de D| x(d) =%}, for all i<k. It is used to define a preference ordering 
on worlds as follows. A world I is 1-preferable to a world I’ iff there exists some 
i€ {0,...,k} such that |{d € D; | I — d}| > |{d © D; | I’ — d}| and |{d € D; | IE 
d}| = |{d € D;| I’ — d}| for allt <j <k. A model I of a set of classical formulas F 
is a 1-preferred model of F iff no model of F is 7-preferable to J. A default ¢— ~ is 
lexy-entailed by (KB, 7) iff w is satisfied in every 7-preferred model of L U {¢}. 

The notion of lexicographic entailment in [19] is a special case of lexicographic 
entailment as above. It applies to €-consistent conditional knowledge bases KB, and 
uses the default ranking z of KB in system Z as priority assignment. That is, a default 
~— w is lex-entailed by KB iff ¢ > y is lex,-entailed by (KB, z). 


2.3 Example 


Consider the following conditional knowledge base KB = (L, D), adapted from [16], 
which represents the strict knowledge “all penguins are birds”, and the defeasible rules 


“generally, birds fly’, “generally, penguins do not fly’, “generally, birds have wings”, 
“generally, penguins live in the arctic’, and “generally, flying animals are mobile”. 


L = {penguin => bird} , 
D = {bird fly, penguin > fly, bird > wings, penguin — arctic, fly > mobile} . 


We would like KB to entail “generally, birds are mobile” (as birds generally fly, 
and flying animals are generally mobile) and “generally, red birds fly” (as the property 
“red” is not mentioned at all in AB and should thus be considered irrelevant to the 
flying ability of birds). Moreover, KB should entail “generally, penguins have wings” 
(as the set of all penguins is a subclass of the set of all birds, and thus penguins should 
inherit all properties of birds), and “generally, penguins do not fly” (as properties of 
more specific classes should override inherited properties of less specific classes). 

The corresponding behavior of €-, z-, z*-, and lex-entailment is shown in Table 1. In 
detail, bird — mobile is a plausible consequence of KB under all notions of entailment 
except for ¢-entailment. Moreover, in this example, every notion of entailment except 
for c-entailment ignores irrelevant information, while every notion of entailment except 
for e- and z-entailment shows property inheritance from the class of all birds to the 
exceptional subclass of all penguins. Finally, the default penguin — —fly is entailed by 
KB under all notions of entailment. 

For instance, let us verify that penguin — —fly is e-entailed by KB. By Theorem 2.1, 
we have to check that (L, D U {penguin — fly}) is ¢-inconsistent. But this is indeed 
the case, since there is no world ranking « that satisfies «(penguin) < oo as well as 


k(penguin A afly) < K(penguin / fly) and K(penguin A fly) < «(penguin A —fly). 
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Table 1. Plausible consequences of KB under different semantics 


| bird — mobile | red \ bird — fly penguin — —fly 
Peenaimenr | — || | + _| 
Peentaiiment [+ [+ [| + 


[eFentailment | + [| + | + | + | 
jex-entailment|| + [+ | + | + _] 


3 Overview of Tractability Results 


3.1 Problem Statements 


A default reasoning problem is a pair (KB,d), where KB = (L, D) is a conditional 
knowledge base and d is a default. It is Horn (resp., literal-Horn) iff L is a finite set 
of Horn clauses, D is a finite set of Horn (resp., literal-Horn) defaults, and d is a Horn 
(resp., literal-Horn) default. In case of z*- and zx-entailment, we assume that KB and 
d have additionally a strength assignment o( KB) and a strength r(d), respectively. In 
case of lex,-entailment, AB has in addition a priority assignment 7( KB). 

Informally, a default reasoning problem represents the input for the entailment prob- 
lem under a fixed semantics S. We tacitly assume that KB satisfies any preconditions 
that the definition of S-entailment in the previous section may request. 

We consider the following problems: 


e ENTAILMENT: Given a default reasoning problem (KB, d), decide whether KB 
entails d under some fixed semantics S. In case of zt- and z%-entailment, decide 
whether d is z+ - and zx-entailed, respectively, by (KB,o(KB)) at strength r(d). In 
case of lex,-entailment, we are asked whether d is lex,-entailed by (KB, 7(KB)). 

e RANKING: Given a conditional knowledge base KB, compute the default ranking 
R of KB according to some fixed semantics S (that is, the rank of each d€ D). 

e RANK-ENTAILMENT: Same as entailment, but the (unique) default ranking R of 
KB according to some fixed semantics S is part of the problem input. 


3.2 Previous Tractability Results 


Previous results on the tractability/intractability frontier can be described as follows. 

Deciding ¢-entailment is intractable in the general case [20] and tractable in the 
Horn case [20,16]. Similarly, deciding proper ¢-entailment is intractable in the general 
case [9] and tractable in the Horn case [14]. Moreover, the problems ENTAILMENT, 
RANKING, and RANK-ENTAILMENT for systems Z and Z* are intractable in the gen- 
eral case [9] and tractable in the Horn case [16]. 

The problems ENTAILMENT, RANKING, and RANK-ENTAILMENT for the seman- 
tics z* and zj are intractable even in the literal-Horn case [9]. Moreover, also deciding 
lex- and lex,,-entailment is intractable in the literal-Horn case [9]. To our knowledge, 
no or only limited tractable cases for these notions of entailment have been identified 
so far (a limited tractable case for lex,-entailment has been presented in [8]). 
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Fig. 1. Tractability of ENTAILMENT 
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Fig. 2. Tractability of RANKING and RANK-ENTAILMENT 


3.3. New Tractability Results 


It would be interesting to know whether the tractability results for e-entailment, proper 
e-entailment, and z- and z* entailment in the Horn case can be extended to more ex- 
pressive classes of problems. Moreover, it would be interesting to know whether there 
are meaningful tractable classes of problems for z*-, z-, lex-, and lex,-entailment. 

Concerning the first issue, we introduce the class of q-Horn conditional knowledge 
bases. This class generalizes Horn conditional knowledge bases syntactically by allow- 
ing a restricted use of disjunction, and contains instances that cannot be represented in 
Horn conditional knowledge bases. As we show, the tractability results for Horn condi- 
tional knowledge bases extend to q-Horn conditional knowledge bases. 

Finding meaningful tractable cases for the more sophisticated semantics for condi- 
tional knowledge bases is more challenging. A natural attempt is to show that a further 
restriction of the literal-Horn case leads to tractability. An obvious candidate restriction 
is bounding the size of the bodies in the strict and classical rules to at most one atom. 
Unfortunately, this does not buy tractability. An analysis of our proof reveals that the in- 
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teraction of the defaults among each other and with the classical background knowledge 
must be controlled such that interferences have a local effect. This leads us to the class 
of feedback-free-Horn (ff-Horn) default reasoning problems. As we show, tractability 
is gained on this class for all the intractable semantics discussed here. 

The hierarchy of all classes of conditional knowledge bases considered in this paper, 
along with the corresponding tractability results, is given in Figures 1-2. 


4 Q-Horn 


4.1 Motivating Example 


Q-Horn conditional knowledge bases generalize Horn conditional knowledge bases by 
allowing a limited form of disjunction, which is illustrated by the following example. 


Example 4.1. Assume that John is looking for Mary. Unfortunately, he did not find 
her at home. So, he is wondering where she might be. He knows that Mary might have 
tea with her friends, that she might be in the library, or that she might play tennis. He 
also knows that these scenarios are pairwise exclusive and not exhaustive. Moreover, 
John knows that “generally, in the afternoon, Mary is having tea with her friends or 
she is in the library” and that “generally, on Friday afternoon, Mary plays tennis”. This 
knowledge can be expressed by the following KB = (L, D): 


L = {=1tea V —library, >tea V tennis, library V tennis} , 
D = {afternoon = tea \ library, Friday \ afternoon — tennis} . 


Assume that it is Friday afternoon and that John is wondering whether he should go 
to the library to look for Mary. That is, does KB entail Friday \ afternoon — library ? 


4.2 Definitions 


A clause is a disjunction of literals. A default ¢— w is clausal iff @ is either T ora 
conjunction of literals, and ¢ is a conjunction of clauses. A conditional knowledge base 
KB = (L, D) is clausal iff L is a finite set of clauses and D is a finite set of clausal 
defaults. A default reasoning problem (KB, d) is clausal iff both KB and d are clausal. 

A classical formula ¢ is in conjunctive normal form (or CNF) iff ¢ is either T or a 
conjunction of clauses. We use the operator ~ to map each atom a to its negation —a, 
and each negated atom —a to a. We define a mapping AN that associates each clausal 
default d with a classical formula in CNF as follows. If dis of the form T — c,A---Acn 
with clauses c),..., Cn, then V(d) = cy A-+-Acp. If dis of the form 1, A--+Alm — ciA 
-++A Cy with literals 11,..., 1, and clauses c),..., Cn, then V(d) is the conjunction of 
all 1, V---V~ lm Vc with i € {1,...,n}. We extend NV to classical formulas in CNF 
o by N(¢) = ¢. We extend NV to finite sets K of classical formulas in CNF and clausal 
defaults as follows. Let A’ denote the set of all k € K with V(k) 4 T. If K’ # 0, then 
N (4K) is the conjunction of all V(k) with k € AK’. Otherwise, V(K) = T. 

A partial assignment S is a set of literals such that for every atom a € At at most 
one of the literals a and a is in S. A classical formula in CNF ¢ is q-Horn [5] iff there 
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exists a partial assignment S' such that (1) each clause in ¢ contains at most two literals 
outside of S, and (ii) if a clause in ¢ contains exactly two literals u,v ¢ S, then neither 
~u nor ~ v belongs to S. Note that every conjunction of Horn clauses is q-Horn. 

A finite set K of classical formulas in CNF and clausal defaults is g-Horn iff V(K) 
is q-Horn. A conditional knowledge base KB = (L,D) is q-Horn iff KB is clausal 
and LU D is q-Horn. Clearly, every Horn KB is q-Horn, but not vice versa. A default 
reasoning problem (KB, d) is q-Horn, if KB is q-Horn and d is a clausal default. 


Example 4.2. The conditional knowledge base KB =(L, D) of Example 4.1 is q- 
Horn. In detail, the classical formula (LU D) associated with KB is given by: 


N(LU D) = (=tea V library) A (>tea V atennis) \ (-library V tennis) A 
(safternoon \ tea \ library) \ (Friday V -afternoon \V tennis) . 


A partial assignment that satisfies (i) and (ii) is given by {—Friday, safternoon}. That 
is, N(L U D) is q-Horn. Since KB is also clausal, it thus follows that KB is q-Horn. 
Note that KB can be made Horn by “renaming” atoms, in particular, by replacing 
the atom library by a negated new atom library, where library stands for —library. 
However, if the scenarios were exhaustive and thus the clause library V tea V tennis is 
in KB, then no Horn renaming of KB is possible. But, the resulting KB is still q-Horn. 


The size of a classical formula in CNF @, denoted ||¢]|, is defined as the number 
of occurrences of literals in ¢. We use |¢| to denote the number of clauses in ¢. The 
size of a clausal default d= ¢ — y, denoted ||d||, is defined as ||| + ||7)||. The size of 
a finite set of clauses L, denoted ||L/|, is defined as the size of V’(L). The size of a 
clausal KB =(L, D), denoted || KB||, is defined as the size of V(LU D). We use |D| 
to denote the cardinality of D. 


4.3. Q-Horn Formulas 


The problems of deciding whether a q-Horn formula is satisfiable and of recognizing 
q-Horn formulas are both tractable and can in fact be solved in linear time. 


Proposition 4.3 (see [5,6]). a) Given a q-Horn formula ¢, deciding whether ¢ is sat- 
isfiable can be done in time O(||¢||). b) Given a classical formula in CNF ¢, deciding 
whether ¢ is q-Horn can be done in time O(||@||). 


By this result, it follows easily that also q-Horn conditional knowledge bases can be 
recognized in linear time. 


Theorem 4.4. Given a clausal conditional knowledge base KB =(L, D), deciding 
whether KB is q-Horn can be done in time O(|| KB\\). 


4.4 e-Semantics 


The following theorem shows that deciding whether a q-Horn KB is €-consistent is 
tractable. The proof of this result is based on the fact that checking the ¢-consistency 
of KB is reducible to a polynomial number of classical satisfiability tests. By closure 
properties of q-Horn formulas, it then follows that for q-Horn KB, each satisfiability 
test is done on a q-Horn formula and thus possible in polynomial time. 
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Theorem 4.5. Given a q-Horn conditional knowledge base KB =(L, D), deciding 
whether KB is €-consistent is possible in time O(|D\? || KB|\). 


The next result shows that deciding ¢-entailment is tractable in the q-Horn case. 


Theorem 4.6. Given a q-Horn default reasoning problem (KB, d) = ((L, D),¢— ¥), 
deciding whether KB «-entails d is possible in time O((||||+|¥|) |D|? (|| KB||+||~]])). 


Finally, deciding proper ¢-entailment is also tractable in the q-Horn case. 


Theorem 4.7. Given a q-Horn default reasoning problem (KB, d) = ((L, D),¢— ¥), 
deciding whether KB properly «-entails d is possible in time O((|||| + ||) |D/? 
(KBl| + IlvI|)- 


4.5 Systems Z and Z+ 


We next focus on entailment in systems Z and Z*. The following result, which can be 
proved in a similar way as Theorems 4.5—4.7, shows that computing the default ranking 
z* is tractable in the q-Horn case. Since system Z* properly generalizes system Z, this 
result shows also that computing the default ranking z is tractable in the q-Horn case. 


Theorem 4.8. Given an €-consistent g-Horn conditional knowledge base KB = (L, D) 
with strength assignment o, the default ranking z+ can be computed in polynomial time. 


Finally, the following theorem shows that deciding z+-entailment is tractable in 
the qg-Horn case. Again, since system Z* properly generalizes system Z, this result 
shows also that deciding z-entailment is tractable in the q-Horn case. Trivially, these 
tractability results remain true when z* and z, respectively, are part of the input, that 
is, for RANK-ENTAILMENT. 


Theorem 4.9. Given a q-Horn default reasoning problem (KB, d) = ((L, D),¢—> ), 
where KB is e-consistent and has a strength assignment o, deciding whether (KB,c) 
zt -entails d at a given strength t > 0 can be done in polynomial time. 


5 Feedback-Free-Horn 


5.1 Intractability Results for 1-Literal-Horn Case 


How do we obtain tractability of deciding s-entailment, where s € { z*, 2%, lex, lex, }? In 
particular, are there any syntactic restrictions on default reasoning problems that give 
tractability? We could, for example, further restrict literal-Horn defaults by limiting 
the number of atoms in the antecedent of each default as follows. A default @— w 
is 1-literal-Horn iff ¢ is either T or an atom, and w is a literal. A /-Horn clause is a 
classical formula ¢ => w, where ¢ is either T or an atom, and ~ is a literal. A conditional 
knowledge base KB = (L, D) is 1-literal-Horn iff L is a finite set of 1-Horn clauses 
and D is a finite set of 1-literal-Horn defaults. A default reasoning problem (KB, d) is 
1-literal-Horn iff both KB and d are 1-literal-Horn. 

Unfortunately, the following theorem shows that deciding z*-entailment is still (pre- 
sumably) intractable even for this very restricted kind of default reasoning problems. 
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Theorem 5.1. Given a I-literal-Horn KB, which is e-consistent and minimal-core, and 
a I-literal-Horn default d, deciding whether KB z*-entails d is co-NP-hard. 


Informally, this intractability is due to the fact that the default knowledge generally 
does not fix a unique instantiation of the atoms to truth values, in particular, when 
defaults “fire back” into the bodies of other defaults, and when defaults are logically 
related through their heads. 

Since zX-entailment is a proper generalization of z*-entailment, it immediately fol- 
lows that deciding z-entailment is (presumably) intractable in the 1-literal-Horn case. 


Corollary 5.2. Given a 1-literal-Horn conditional knowledge base KB, which is e- 
consistent and robust, a strength assignment o on KB, a 1-literal-Horn default d, and 
a strength T, deciding whether (KB, a) zx-entails d at strength t is co-NP-hard. 


The following theorem shows that also deciding lex- and lex,-entailment is (pre- 
sumably) intractable in the 1-literal-Horn case. 


Theorem 5.3. a) Given an e-consistent 1-literal-Horn conditional knowledge base KB 
and a 1-literal-Horn default d, deciding whether KB lex-entails d is co-NP-hard. 


b) Given a I-literal-Horn conditional knowledge base KB with priority assignment 7 
and a I-literal-Horn default d, deciding whether (KB, 7) lex,-entails d is co-NP-hard. 


5.2. Motivating Examples 


We will see that deciding s-entailment, where s € {z*, z3, lex, lex, }, becomes tractable, 
if we assume that the default reasoning problems can be sensibly decomposed into 
smaller problems of size bounded by a constant. We now give some examples to illus- 
trate the main ideas behind this kind of decomposability. In the following examples, 
we assume that conditional knowledge bases are implicitly associated with a strength 
assignment o (resp., priority assignment 7), when s = z} (resp., s = lexp). 


Example 5.4. Take again KB = (L, D) of Section 2.3. Assume that we are wondering 
whether KB s-entails penguin — fly, red /\ bird — fly, bird — mobile, penguin — arctic, 
or penguin — wings, where s € {z*, 2%, lex, lex, }. As it turns out, each of these prob- 
lems can be reduced to one classical reasoning problem and one default reasoning prob- 
lem. More precisely, the former is done w.r.t. the set of atoms {penguin, bird, red}, 
which refers to the atoms in L and the antecedent of the query default, while the 
latter is done w.r.t. the sets of atoms {fly, mobile}, {arctic}, and {wings}, respec- 
tively, by sensibly eliminating irrelevant defaults and simplifying the remaining de- 
faults by instantiating atoms to truth values. For instance, deciding whether KB s- 
entails red \ bird — fly is reduced to the classical reasoning problem of computing the 
least model of L U {red A bird} and the default reasoning problem of deciding whether 
({red, bird, spenguin}, {bird — fly, fly > mobile}) s-entails red A bird — fly. 


We next consider a taxonomic hierarchy adorned with some default knowledge [2]. 
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Example 5.5. The strict knowledge “all birds and fish are animals”, “all penguins and 
sparrows are birds”, ’no bird is a fish’, “no penguin is a sparrow’, and the defeasible 


knowledge “generally, animals do not swim’, “generally, fish swims”, and “generally, 
penguins swim” can be represented by the following KB = (L, D): 


L = {bird => animal, fish => animal, penguin => bird, 
sparrow => bird, bird = —fish, penguin => —sparrow} , 


D = {animal — -swims, fish swims, penguin — swims} . 


Do sparrows generally swim? That is, does KB s-entail sparrow — swims, where 
s€{2*, 2%, lex, lex, }? This default reasoning problem can be reduced to one classical 
reasoning problem w.r.t. the set of atoms {animal, bird, fish, sparrow, penguin} and 
one default reasoning problem w.r.t. the set of atoms {swims}. In detail, we first com- 
pute the least model of LU {sparrow} and then decide whether ({ sparrow, bird, animal, 
afish, apenguin}, {animal > —swims}) s-entails sparrow — swims. 


5.3 Definitions 


Suppose that for a literal-Horn conditional knowledge base KB = (L, D), there exists 
a set of atoms At, C At such that D is defined over At, and that all consequents of 
definite literal-Horn defaults in D are defined over At — At,. The greatest such At, 
which clearly exists, is called the activation set of KB. Intuitively, in any “context” 
given by L and ¢, where ¢ is either T or a conjunction of atoms from At, all those 
atoms in At, that are not logically entailed by L U {¢} can be safely set to false in the 
preferred models of L U {$}. 

For At,, there is a greatest partition {At,,..., At,,} of At — At, such that every 
dé D is defined over some At, U At; with i € {1,...,n}, which we call the default 
partition of KB. We say KB = (L, D) is k-feedback-free-Horn (or k-ff-Horn) iff it is 
literal-Horn, it has an activation set At,, and it has a default partition {At,,..., At, } 
such that every At; with i € {1,...,} has a cardinality of at most k. 


Example 5.6. The conditional knowledge base KB of Example 5.5 is 1-ff-Horn. More 
precisely, its activation set (resp., default partition) is given by {animal, bird, fish, 
sparrow, penguin} (resp., {{swims}}). 

Moreover, KB of Example 5.4 is 2-ff-Horn. Its activation set (resp., default parti- 
tion) is given by {penguin, bird, red} (resp., {{fly, mobile}, {arctic}, {wings}}). 


For sets of Horn clauses L, we use L+ to denote the set of all definite Horn clauses 
in L. For sets of literal-Horn defaults D, we use D+ to denote the set of all definite 
literal-Horn defaults in D. Assume additionally that d= ¢ — v is a literal-Horn default. 
Then, a literal-Horn default a — a (resp., a > 7a) with a € At is active w.r.t. (L, D) 
and d iff Lt UD* U{¢} Ea Cresp., Lt UDt U{db} Eada). 

A default reasoning problem (KB, d) = ((L, D), ¢— w) is k-ff-Horn, where k > 1, 
iff (i) it is literal-Horn, and (ii) (Z, Da U {d}) has an activation set At, and a default 
partition {At,,..., At, } such that d is defined over some At, U At; with |At;|<k, 
where D, is the set of all active defaults in D w.r.t. KB and d. The class k-ff-Horn 
consists of all /:-ff-Horn default reasoning problems; we define the class feedback-free- 
Horn (or ff-Horn) by ff-Horn = (J, , k-ff-Horn. 


New Tractable Cases in Default Reasoning from Conditional Knowledge Bases 325 


Example 5.7. Consider the literal-Horn default reasoning problem (KB, d) with KB = 
(L, D) as in Example 5.4 and d= red A bird — fly. The set Dg of active defaults in D 
w.r.t. KB and d is given by D, = {bird — fly, bird > wings, fly > mobile}. 

Now, (LZ, Da U {d}) has the activation set At, = {penguin, bird, red, arctic} and 
the default partition { At), At2}, where At, = {fly, mobile} and Atz = {wings}. More- 
over, d is defined over At, U At, with |At,| = 2. That is, (KB, d) is 2-ff-Horn. 


For Horn conditional knowledge bases KB =(L, D) with activation set At,, and 
classical formulas a that are either T or conjunctions of atoms from At, we define the 
classical formula a* as follows. If L U {a} is satisfiable, then a* is the conjunction of 
all b€ At with L U {a} — b and all 4d with b€ At, and LU {a} F b. Otherwise, 
we define a* = |. Moreover, for satisfiable L U {a}, we define the world [x over the 
activation set At, by [x(b) = true iff L U {a} F 6, for all bE Ata. 


5.4 Recognizing Feedback-Free-Horn 


Both recognizing k-ff-Horn conditional knowledge bases, and computing their activa- 
tion set and default partition are efficiently possible using standard methods. 


Theorem 5.8. a) Given a literal-Horn conditional knowledge base KB and an integer 
k; > 1, deciding whether KB is k-ff-Horn can be done in linear time. 
b) Given a k-ff-Horn conditional knowledge base KB, computing the activation set Ata 
and the default partition { At,,..., At, } can be done in linear time. 


Moreover, recognizing k-ff-Horn default reasoning problems is also efficiently possible. 


Theorem 5.9. a) Given a literal-Horn default reasoning problem (KB, d), and an in- 
teger k > 1, deciding whether (KB, d) is k-ff-Horn can be done in linear time. 


b) Given a k-ff-Horn default reasoning problem (KB, d) with KB = (L, D), computing 
the set Da of active defaults in D wrt. KB and d can be done in linear time. 


5.5 Maximum Entropy Semantics 


In the sequel, let KB = (L, D) be an ¢-consistent k-ff-Horn conditional knowledge base 
with positive strength assignment o. Let At, denote the activation set of KB, and let 
(At1,..., At,,) be the default partition of KB. Let zx be a ranking that maps each d € D 
to a positive integer, and let «x be defined by (4). 

For each i € {1,...,n}, let D; denote the set of all defaults in D that are defined 
over At, U At;. Let the function « ; on worlds I over At be defined as follows: 


ore) ifl AL 
Ke (I) = 0 iff DUD; (5) 
S> zg (d) otherwise. 
d€D;: Iiéd 


In order to compute the default ranking z¥, we have to compute ranks of the form 
Kx(a A 81 A+++ A Bn), where a is either T or a conjunction of atoms from At,, and 
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each /3; is either T or a conjunction of literals over At;. It can now be shown that such 
Ki(a A G1 A+++ A Bn) coincide with 75", Kx ,(a* A 8). 

Using this result, it can be shown that computing the default ranking zj is tractable 
in the k-ff-Horn case. Since z¥ is a proper generalization of z*, this result shows also 
that computing the default ranking z* is tractable in the k-ff-Horn case. 


Theorem 5.10. Let k > 0 a fixed integer. Given an <-consistent k-ff-Horn KB = (L, D) 
with positive strength assignment o, computing the default ranking zz for KB, if KB is 
robust, and returning nil otherwise, can be done in polynomial time. 


In the sequel, let (KB, d) = ((L, D), 6 > w) be a k-ff-Horn default reasoning prob- 
lem with ¢-consistent and robust KB. Let o be a positive strength assignment on KB. 
Let D, be the set of active defaults in D w.r.t. KB and d, let At, be the activation set 
of (LZ, Da U {d}), and let (Ati, ..., Atn) be the default partition of (L, Da U {d}). Let 
ze, Kz be the unique solution of (3) and (4). 

For every 7 € {1,...,n}, let D, denote the set of all defaults in D, that are defined 
over At, U At;, and let o; be the restriction of o to D;. Let Zax map each default in D; 
to a positive integer, and let the function K; on worlds I over At be defined by: 


ore) if AL 
Re ,(I) = 0 if2E DUD; (6) 
Zei(d) otherwise. 
de€D;: Id 


It can be shown that in order to decide whether KB zz-entails d at given strength 
T > 0, it is sufficient to know all z3(d) with d€ Dj, where j € {1,...,} such that d 
is defined over At, U At;. Moreover, it can be shown that the restriction of z¥ to D; 
coincides with the default ranking for (L, Dj) under the strength assignment a. 

Using these results, it can be shown that deciding z3-entailment is tractable in the 
k-ff-Horn case. Again, since z3 properly generalizes z*, this result shows also that 
deciding z*-entailment is tractable in the k-ff-Horn case. Trivially, these tractability 
results remain true when zj and z*, respectively, are part of the input. 


Theorem 5.11. Let k > 0 be fixed. Given a k-ff-Horn default reasoning problem 
(KB,d) = ((L,D),¢— WW), where KB is €-consistent and robust, and a positive 
strength assignment o on KB, deciding whether (KB,o) zx-entails d at given strength 
tT > 0 can be done in polynomial time. 


Example 5.12. Let the 2-ff-Horn default reasoning problem (KB,d) be given by 
KB = (L, D) of Example 5.4 and d = red ( bird — fly. Let o(6) = 1 for all 6 € D. 

Now, d is z3-entailed by (KB, ) at strength 7 iff either (i) LU {red A bird, fly} is 
unsatisfiable, or (ii) both L U {red A bird, fly} and L U {red A bird, —fly} are satisfiable, 
and «%(red ( bird / fly) + T < Kx(red A bird A —fly). It can be shown that the latter 
is equivalent to R34 ((red A bird)* / fly) + T < Key ((red A bird)* /\ fly), that is, 
Rg (red \ bird A fly) +7 < KE, (red A bird \ fly), where R., is defined through the 
default ranking Z*, for (LZ, D1) = (L, {bird = fly, fly — mobile}) under 01 = o|p,. 

It is now easy to verify that 71 (d1) =1 for all d, € Dj, that both L U {red A 
bird, fly} and L U {red \ bird, —fly} are satisfiable, that (red A bird / fly) =0, and 
that KS, (red A bird \ fly) = 1. Thus, (KB, o) zz-entails red \ bird — fly at strength 1. 


New Tractable Cases in Default Reasoning from Conditional Knowledge Bases 327 


5.6 Lexicographic Entailment 


We now focus on lexicographic entailment. In the sequel, let (KB, d) = ((L, D), dw) 
be a k-ff-Horn default reasoning problem. Let 7 be a priority assignment on KB. Let 
D, denote the set of all active defaults w.r.t. KB and d, let At, be the activation set of 
(L, Da U {d}), and let (At;,..., At») be the default partition of (Z, D, U {d}). 

For every i € {1,...,}, let D; denote the set of all defaults in D, that are defined 
over At, UAt;, and let KB; = (L, D;). Let 7; be the unique priority assignment on KB; 
that is consistent with 7 on KB (that is, 7;(d) < m;(d) iff 7(d) < 2(d), for all d€ Dj). 
Let 7 € {1,...,} such that d is defined over At, U At;. 

In order to decide whether (KB, 7) lexp-entails d, we must check whether every 
m-preferred model of L U {¢} satisfies ~. It can now be shown that we can equivalently 
check whether every 7;-preferred model of L U {¢*} satisfies w. 

Using this result, it can be shown that deciding lex,-entailment is tractable in the 
k-ff-Horn case. Moreover, as computing the z-partition for ¢-consistent conditional 
knowledge bases KB is tractable in the Horn case [16], this result shows also that 
deciding lex-entailment is tractable in the k-ff-Horn case. 


Theorem 5.13. Let k > 0 be fixed. Given a k-ff-Horn default reasoning problem 
(KB,d) = ((L,D),¢—W) and a priority assignment x on KB, deciding whether 
(KB, 7) lexy-entails d can be done in linear time. 


Example 5.14. Let the 2-ff-Horn default reasoning problem (KB,d) be given by 
KB = (L, D) of Example 5.4 and d= red ( bird — fly. Let 1(6) =0, if 6 € {bird — fly, 
bird wings, fly > mobile}, and 7(6) = 1, if 6 € {penguin > —fly, penguin — arctic}. 

It can be shown that (KB, 7) lex,-entails red A bird — fly iff either L U {red A bird} 
is unsatisfiable, or all 71-preferred models of L U {(red A bird)*} =L U {red A bird} 
satisfy fly, where 7 is the priority assignment on KB, = (L, D1) = (L, {bird— fly, 
fly — mobile}) that maps each element of D, to 0. It is now easy to verify that this is 
indeed the case. That is, (KB, 7) lexp-entails red A bird — fly. 
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Abstract. We consider the monodic formulas of common knowledge 
predicate logic, which allow applications of epistemic operators to for- 
mulas with at most one free variable. We provide finite axiomatizations 
of the monodic fragment of the most important common knowledge pred- 
icate logics (the full logics are known to be not recursively enumerable) 
and single out a number of their decidable fragments. On the other hand, 
it is proved that the addition of the equality symbol to the monodic frag- 
ment makes it not recursively enumerable. 


1 Introduction 


Ever since it became common knowledge that intelligent behaviour of an agent 
is based not only on her knowledge about the world but also on knowledge about 
both her own and other agents’ knowledge, logical formalisms designed for rea- 
soning about knowledge have attracted attention in artificial intelligence, com- 
puter science, economic theory, and philosophy (cf. e.g. the books [5,16,13] and 
the seminal works [8,1]). In all these areas, one of the most successful approaches 
is to supply classical—propositional or first-order—logic with an explicit epis- 
temic operator K; for each agent 7 under consideration. K;y means that agent i 
knows (or believes) p, Ki Koy says then that agent 1 knows that agent 2 knows 
y, and the schema of positive introspection K;w — K;K;w states that agent i 
knows what she knows. In the first-order case this language is capable of formal- 
izing the distinction between ‘knowing that’ and ‘knowing what’ (i.e., modalities 
de dicto and de re): the formula K;dx name(x,y) stands for ‘i knows that y has 
a name,’ while da Kjname(z,y) means ‘i knows a name of y.’ 

There can be different interpretations of the knowledge operators (e.g. with 
or without positive or negative introspection), and for many of them transparent 
axiomatic representations have been found (cf. e.g. [7,5]). On the other hand, the 
possible worlds semantics [8] provided a framework to interpret this language: 
in a world w agent i knows y if and only if y holds in all worlds that 7 regards 
possible in w (the difference between various understandings of K; is reflected 
by different accessibility relations among the worlds). 

The situation becomes much more complicated when—in order to describe 
the behavior of multi-agent systems—we extend the language with one more 
modal operator, C, to capture the common knowledge of a group of agents. Such 
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an operator was required for analyzing conventions [14], coordinizations in multi- 
agent systems [5], common sense reasoning [15], agreement [1,2], etc.t Although 
the intended meaning of the common knowledge operator involves infinity: Cy 
stands for the infinite conjunction of the form 


Kkig A Ky, Kap x Koki Koy A sey 


both natural possible worlds semantics and clear inductive axiomatizations have 
been found for propositional common knowledge logics [7]. (The new operator, 
however, considerably increases the computational complexity of these logics— 
from PSPACE to EXPTIME; consult [5].) 

But real problems arise when we try to combine the common knowledge op- 
erator with the first-order quantifiers. First, no common knowledge predicate 
logic with both a finitary (or at least recursive) axiomatization and a reasonable 
semantics has ever been constructed! And second, the common knowledge pred- 
icate logics determined by the standard possible worlds semantics are known 
to be not recursively axiomatizable (and so not recursively enumerable) [17]. 
Thus, similar to second-order logic or first-order temporal logic, it is impossible 
to characterize common knowledge predicate logics syntactically. In some sense 
this means that neither we nor the Turing machine have the capacity of under- 
standing the interaction between common knowledge and quantifiers. Moreover, 
this is true of even very small fragments of the logics, say, the monadic or two- 
variable fragments (see [17]). 

Does it mean that we should completely abandon the idea of using common 
knowledge predicate logic? Still there exist manageable fragments with non- 
trivial interaction between the common knowledge operator and quantifiers. 

A promising approach to singling out non-trivial decidable fragments of first- 
order modal and temporal logics has been proposed in [9,20]. The idea is to 
restrict attention to the class of monodic* formulas which allow applications of 
modal or temporal operators only to formulas with at most one free variable. In 
the epistemic context, monodicity means, in particular, that 


— we have the full expressive power of first-order logic as far as we do not apply 
epistemic operators to open formulas; 
— we can reason about agents’ knowledge of properties, for instance, 


Va (C loves( John, x) V C'loves( John, x)) 


(‘for every object x, it is a common knowledge whether John loves x’); how- 
ever, we are not permitted to reason about agents’ knowledge of relations, 
say 

Va,y (C loves(x, y) V C loves(z, y)) 


(‘for all pairs x, y, it is a common knowledge whether x loves y’). 


' An alternative approach adds infinitary operators to the language, see [10,11]. 
2 Monody is a composition with only one melodic line. 
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The main aim of this paper is to show that the monodic fragment of com- 
mon knowledge predicate logic turns out to be quite manageable. First, we show 
that for almost all interesting interpretations of the operators K; the monodic 
fragment of the valid formulas (without equality) can be finitely axiomatized. 
Moreover, we observe that a number of natural subclasses of the monodic frag- 
ment, say, with only monadic predicates or two variables, are decidable. On the 
other hand, it is proved that the addition of the equality symbol to the monodic 
fragment makes it not recursively enumerable. 


2 First-Order Logics of Common Knowledge 


The logics we deal with in this paper are all based on the language we call 
CL, which extends the standard first-order language (without equality) with 
a number of epistemic operators, including the operator expressing common 
knowledge. The alphabet of CL consists of: 


— predicate symbols Po, Py,..., 

— individual variables x9, 21,..-, 

— individual constants co,c1,..-, 

— the booleans A, 7, 

— the universal quantifier Vx for each individual variable z, 

— a finite number of knowledge operators Ky,...,Kn,n > 1, and 
— the common knowledge operator C. 


We assume that the set of predicate symbols is non-empty and that each of 
them is equipped with some fixed arity; 0-ary predicates are called propositional 
variables and denoted by po,pi,.... The individual variables together with the 
individual constants form the set of CL-terms. The set of CL-formulas is defined 
as follows: 


— if P is an n-ary predicate symbol and 71,...,7, are terms, then P(7,...,7n) 
is a formula; 
if y and w are formulas, then so are y A w and 7y; 
— if y is a formula and «@ a variable, then Vxy is a formula; 
if y is a formula and 2 <n, then Kjy and Cy are formulas. 


Throughout the paper we make use of the following abbreviations: T, L, yV v, 
pw, yp oy, and Ary, which are defined as usual, as well as Ey (‘everyone 
knows yy’) which stands for Kig A---A Kny. 

The language CCL is interpreted in first-order Kripke models which are struc- 
tures of the form IN = (F,D,I), where § = (W, Ri,..., Rn) is the underlying 
Kripke frame (W # @ is a set of worlds and the R; are binary relations on W), 
D is a nonempty set, the domain of IN, and I a function associating with every 
world w € W a first-order structure 


I(w) = Cos Leen ree 
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in which pi) is a predicate on D of the same arity as P, (for a propositional 


(w) 


variable p;, the predicate pi) is either T or L), and c is an element in D 


such that of!) = Jf for any u,v € W. The latter means that constants are 
treated as rigid designators in the sense that they designate the same object in 
every world. To simplify notation we will omit the superscript I and write P.”, 
pw, c’, etc., if I is clear from the context. 


Remark 1. Note that we assume domains to be constant. Axiomatizations for 
the case of expanding or varying domains can easily be obtained from our results. 


An assignment in D is a function a from the set var of variables to D. The 
value T™+* (or simply 7° if understood) of a term 7 under a in IM is a(r), if 
T is a variable, and r/(”) otherwise, where w is some (any) world in W. The 
truth-relation (IN, w) -* » (or simply w E* y) in the model YN in the world w 
under the assignment a is defined inductively as follows: 


—w E* Pi(t,..-, Tm) iff (7f,...,78) © P"”; this fact will also be written as 
I(w) —* Pi(ti,---,T); 

—~wE*wWA x iff w E* vw and w F° x; 

— wet ab iff w EO ds 

— wKE* Vaw(a,y1,---,Yn) iff w E° w(2,y1,---,Yn) for every assignment 6 in 
D that may differ from a only on 2; 

— we" Ky iff v &* wv for all v € W such that wR,v; 

— wE* Cy iffv E* y for all v such that w(U;<,, Ri)*v, where the superscript 
+ 


means taking the transitive closure of U;<,, Ri. 


For a set of formulas I’, a model SM, a world w and an assignment a, we write 
w * I to say that w —" ¢ for every y € I’. In this case I’ is said to be satisfied 
in M. By ¥ E I we mean that TI is valid in F, i.e., (MN, w) -* I holds for every 
model SM based on ¥, every assignment a in it, and every world w in ¥. 

Different epistemic logics correspond to different classes of frames. Usually 
these classes are determined by combinations of the following properties: re- 
flexivity (denoted by r), transitivity (t), seriality (s), and euclideanness (e). We 
denote by F" the class of all reflexive frames, by F™ the class of all reflexive and 
euclidean frames (i.e., the class of frames with equivalence relations), etc. F* is 
the class of all frames. 

For a class F of frames, we define L(F), the logic of F, to be the set of all 
C£-formulas that are valid in all § € F. Here is a list of standard logics of 
common knowledge: KY = L(F#), TS = L(F"), KD© = L(F5), K4¢ = L(F*), 
S4° — L(F"), KD45¢ = L(F**), 85° = LF). 


3 Axiomatizing the Monodic Fragment 


As was shown in [17], none of the logics listed above is recursively axiomatiz- 
able. Moreover, the restriction of these logics to such ‘orthodox’ fragments as 
the monadic or two-variable formulas does not bring a relief: they are still not 
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recursively enumerable. By analyzing proofs of these ‘negative’ results, one can 
observe that all of them make use of formulas asserting that some agents know 
relations between two objects. On the other hand, the results of [18] establish- 
ing decidability of epistemic description logics (in which epistemic operators are 
applicable only to unary predicates) give some hope that the fragment without 
such formulas can be more manageable. 


Definition 1 (monodic formulas). Denote by CL, the set of all CL-formulas 
y such that any subformula of vy of the form Ki or Cw has at most one free 
variable. Such formulas will be called monodic. For a class F of frames, let 
[,(F) = L(F) NCLy. In other words, L1(F) is the monodic fragment of the 
logic L(F). 

From now on all formulas are assumed to be monodic. 


In this section we give axiomatizations of the monodic fragments of the epis- 
temic logics defined above. (These axiomatizations are first-order extensions 
of those in [7].) To begin with, we axiomatize the monodic fragment of KS, 
ie., L,(F*). This axiomatic system, denoted by KY, has the following axiom 
schemata and inference rules: 


Axiom schemata (over formulas in CL)): 


— the set of axiom schemata from some axiomatization of classical first-order 
logic, 

- Cy > E(p A Cg), 

— KWab @ Vek. 


Inference rules (over formulas in CL}): 


— the rules of classical first-order logic, 
ees , fori<n, 

Kip 
_— gr EWA) 


pcp 


The monodic fragments of the remaining logics are axiomatized by adding to 
K the corresponding standard axiom schemata: 


Ap: Kip - 7AKi7y,i<n, 
Ar: Kigroyp,i<n, 

Ag: Kig > Ki Kig,i<n, 
As: Akay = Kn iP, ) < n. 


Namely, T°, KD and K4° as the axiomatic systems obtained by adding to 
KS the schemata Ar, Ap, and Ag, respectively. S49 is K4° plus Ar. K D459 
is K4° extended by Ap and As, and 95° is K D45¢ plus Ar. 

Given an axiomatic system S, we denote by Fg its consequence relation. Our 
aim now is to prove that the defined systems indeed axiomatize the monodic 
fragments of our common knowledge logics. That is, we are going to show that 
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for every monodic formula y, we have Fo ¢ iff y € KS iff y is valid in all 
frames from F%, and similar claims for the other logics. 

The easy ‘only if’ part of these claims, i.e., correctness, follows from well- 
known results (consult e.g. [5,3]) and the almost obvious fact that the rule y > 
E(w A ~)/y — Cw preserves validity. The ‘if’ part, i-e., completeness, is much 
more complicated. It will be proved in the next section. 


4 Completeness 


Given a set I’ of C£L,-formulas, we denote by con(I’) and sub(I’) the sets of all 
constants and subformulas of formulas in I’, respectively; subc(I’) is defined as: 


subc (I) = sub() U{E(WA CY), ob ACY, Ki(w A Cu) : Cu € sub(L),i < n}. 


Let subG(L) = {7 : w € subo(L)} Usubo(L) and let sub, (I) be the subset of 
sub¢ (I) containing only formulas with < n free variables. For instance, subg (I’) 
denotes the set of sentences in subc(I’). (Note that sub,,(I’) is not necessarily 
closed under subformulas and that modulo equivalence we may assume that 
sub,,(I’) is closed under =.) In what follows we will not be distinguishing between 
a finite set I’ of formulas and the conjunction AI’ of formulas in it. 

Let x be a variable not occurring in I’. Put 


sub,(L) = {v{a/y} : v(y) © subi (L)} U {A KjAL, Rial, al, Lb :i< n} 
For the rest of this section we fix an arbitrary CL,-sentence y. 


Definition 2 (type). By a type for y we mean a boolean-saturated subset t of 
subz(~), ée., 


—wWAxEet iffw et andy €t, for every WA x € subz(y); 
— wwWetiffy ¢t, for every ww © subz(y). 


We say that two types t and t’ agree on subo(y) if tN subo(y) = t'N subo(y). 
Given a type t for y and a constant c € con(y), the pair (t,c) will be called an 
indexed type for y (indexed by c) and denoted by t.(x) or simply te. 


Definition 3 (state candidate). Suppose T is a set of types for y that agree 
on subo(y), and T°" = {(t,c) : c € con(y)} a set of indexed types such that 
{t: (t,c) © T"} CT and for each c € con(y), T°" contains exactly one pair 
of the form (t,c). The pair € = (T,T°°") is called then a state candidate for y. 
A pointed state candidate for y is the pair B = (€,t), where t is a type in T, 
called the point of B. With € and YB we associate the formulas 


Qe = \ Fax t(x) A Va VV t(x) A \ t(c), Py = ag At. 


teT teT (t,c)ET CO" 


In what follows S' ranges over the axiomatic systems introduced in Section 3. 
We remind the reader that a formula y is said to be S-consistent if 75 ay. 
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Definition 4 (suitable pairs). (1) A pair (t1,t2) of types for p is called i- 
suitable for S,i<n, if the formula t; \ ~K;,-t2 is S-consistent. 

(2) A pair (€1,€2) of state candidates is i-suitable for S, i <n, if ae, A 
aK; 7ae, 1s S-consistent. 

(3) A pair (1,2) of pointed state candidates is i-suitable for S, i <n, if 
Bx, \ 7K; 7Py, is S-consistent. In this case we write Bi <; Po. 


Lemma 1. (i) For every finite S-consistent set VW of CL1-formulas, there is a 
pointed state candidate % = (€,t) for yp such that \W A By is S-consistent. 
Moreover, if y € subs(y) and w EW, then w €t. 

(ii) Suppose W is a finite set of CL1-formulas and ~K;@ is a formula in 
sub,(y) such that \Y A 7K,0 is S-consistent. Then there exists a pointed state 
candidate B = (€,t) for yp such that -0 € t and \YW A 7K;7Py is S-consistent. 


Proof. (i) Denote by 6, the disjunction of all formulas Gy, % a pointed state 
candidate for y. As Gg is classically valid, it is provable in S, hence \ WA By is 
S-consistent. It follows that there is a disjunct Jy of 6, such that \ YA By is 
S-consistent. Now, if W € WM sub,(y) and ¢ is the point of $8, then ~ € t, for 
otherwise —w € t, which is a contradiction. 

(ii) If A YA ~K;6 is S-consistent, then so is \ YA 7K;-(-0 A B,). It follows 
that there is a pointed state candidate 8 with point t such that \ YA7K;7(76A 
(x3) is S-consistent. Clearly, =0 € t, and we are done. 


Note that Lemma 1 will hold true if we replace x by some constant c. 


Lemma 2. (i) If a pair (€1,€2) of state candidates for py is i-suitable for S, 
i<n, then: 


1. for every t € T, there exists at’ € Tz such that (t,t’) is i-suitable for S; 
2. for every t' € T2 there exists at € T, such that (t,t’) is i-suttable for S. 


(ii) Suppose that a pair of types (t, t') is i-suitable for S. Then: 


. wet’ whenever Ky € t; 

. if A, € S, then Ky €t' whenever Kj € t; 

. of {D, As} CS, then Kiw € t whenever Kiw € t'; 

4. if {D, As, As} CS or {T, As} CS, then Ki ct iff Ki et’. 


wd wow 


(iii) Suppose (t, t’) is i-suttable for S. Then Cw € t implies Cw € t’. If {Ag, As} C 
S, then Cy et iffCwet. 


Proof. (i) Suppose that t € T, but there is no ¢t’ € T> for which (¢,t’) is 7 
suitable for S. This means that fs t — K;-1t’, for each t’ € To, and so 
Is t — K;7 Virety t'. Then we have Fg dat — K;,dar-7 Viet, t'. Since Fg 
dena Viet t! + mae, and gs ae, > Jet, we finally obtain Fy a¢, > Kinae,, 
contrary to S-consistency of ag, A 7Kj7a¢,. Claim (i.2) is proved in a similar 
way. 
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(ii) Suppose that Ayw € t but w Zt’. Then -wW et’, ky Kyw > K-71’, and 
so t \ =K;7t' is S-inconsistent, which is a contradiction. 

Now suppose that S$ contains A, Kj; € t, but Kyw ¢ t’. Then ~Kyw € t’. 
Hence fs K,Kjy — K;-1t’. It follows from A, that Fs K;w — K;7t’, and so 
Ki \7K,-1t’ is S-inconsistent, contrary to S-consistency of (¢,¢t’). Claims (i.3) 
and (i.4) are proved analogously. 

(iii) Suppose Cw € t. Then E(y A Cw) € t and so K;(y A CW) € t, for i <n. 
By (ii-1), WA CW € #, from which Cu € t’. 

If Cw €t’ then, as we know, Ki(w A Cw) € t’, for i < n. So if {Ag, As} CS, 
then we have by (ii.4), 2 A Cw € t, and so Cy € t. 


Definition 5 (basic tree). Let T = (W,<1,...,<n) be a structure with pair- 
wise disjoint binary relations <; on W such that (W,U,;<, <i) is an intransitive 


tree.? By a basic tree for p we mean the pair (Z,c), where o is a map associ- 
ating with every w € W a state candidate o(w) = (Tw,T.’) for vy. A basic tree 
is called a basic S-tree if ag(w) is S-consistent, for every w € W, and the pair 
(o(w1),o(we2)) is i-suttable for S whenever wy <; We. 


Definition 6 (run). A run r in a basic S-tree ({,c) is a map associating with 
every w € W a type r(w) € Ty, such that 


— the pair (r(w1),r(we)) is i-suttable for S whenever wy <; Wo; 
— if 7Kib € r(w) then wv ¢r(w’) for some w' >; w; 
— if —Cy €r(w) then b ¢ r(w') for some w' such that w(Ujen <i) Pu’. 


Definition 7 (quasimodel). A basic S-tree ({,o0) is called an S-quasimodel 
for 9 if 


— for allweW andt€ Ty (o(w) = (Tw, T2’)), there exists a run r in (f,c) 
such that r(w) =t; 

— for every constant c € con(y), the function r. defined by r.(w) = t, for 
(t,c) € Toe", w € W, is a run in (¥,¢). 


We say p is satisfied in (X,c) if there exists w © W such that ag(w) Ay is 
S-consistent. 


Theorem 1. I[f — is satisfiable in an S-quasimodel for yp, then — is satisfiable 
in a model based on a frame for S. 


3 We remind the reader that 6 = (W, <j) is an intransitive tree if (i) 6 is rooted, ie., 
there is wo € W (a root of 6) such that wo <* w for every w € W, where <* is the 
transitive and reflexive closure of <J, (ii) for every w € W, the set {u € W : v<* w} is 
finite and linearly ordered by <*, (iii) every world v in 6, save its root, has precisely 
one predecessor, i.e., |{u € W : u<v}| = 1, and (iv) the root wo is irreflexive, ice., 
awo <J wo. 
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Proof. For every monodic formula 7(y) of the form K;x(y) or Cx(y) with one 
free variable y, we reserve a unary predicate P,(y). Likewise, for every sentence 
y = Kix or w = Cy we fix a propositional variable p,. Py(y) and py will be 
called the surrogates for w(y) and w. 

Given a monodic formula ~, we denote by % the formula that results from 
w by replacing all subformulas of the form K;x(y), Kix, Cx(y), and Cy, which 
are not within the scope of another epistemic operator, with their surrogates. 
Thus, 7 contains no occurrences of epistemic operators, i.e., it is a purely first- 
order formula; we will call 7 the £L-reduct of w. For a set of CL,-formulas I’, let 
T={v:wel}. 

Now suppose y is satisfied in an S-quasimodel (¥,o), TF = (W, <1,...,;<n). 
So there is w* € W such that y A ag(y*) is S-consistent. It follows that the L- 
reduct GAG, (w=) is consistent with respect to classical first-order logic. Moreover, 
by Definition 5, ag() is S-consistent and @,(,) is first-order consistent, for every 
w € W. So, for each w € W, we can find a structure I(w) / @(~). We may also 


assume that I(w*) EK" @, for some assignment a*. 
Take a cardinal « > No exceeding the cardinality of the set 2 of all runs in 
(U,o) and put 
D=({(r,§): rE Q,E< kK}. 


Without loss of generality we can assume that D is the domain of the first-order 
structures I[(w) satisfying the @(,), that c” = (r¢,0), and that 


r(w) = {wy € subz(y) : I(w) F dl(r, €)]}, (1) 


for all runs r and € < «. (Note that the underlying first-order language does not 
contain equality; for details see [9], Lemma 9.) 

Let us now define the underlying frame § of the model we are constructing. 
Its set of worlds is W. The accessibility relations R; depend on S. Namely, we 
define R; to be 


—~<,if S=K¢ or S=KDS; 

—~ <,Uf{lu,w):wew}if S=TS; 

the transitive closure of <; if S$ = K4°; 

— the reflexive and transitive closure of <; if S = S4°; 

— <f U{(w,w’): due Wi <f wk <}f ww’ & Adu u <j; v)} if S = KDA; 
the reflexive, symmetric and transitive closure of <; if S = $5. 


Note that for S = KD the R; are serial because in this case every S-consistent 
type for y contains at least one formula of the form —K;1). For S = K D45% the 
R; are clearly serial. Suppose w,;R;w and wR;w2. If w; has no <;-predecessor, 
then wy cay wz and so w;R;w2. Otherwise, there are v;, for 7 = 1,2, such that 
vj <j w;, vj <7 w and the v; have no <;-predecessors. Since T is an irreflexive 
tree, we get vj = vo. Thus v1 ae wy, and v1 ae wg. By the definition of R;, it 
follows that w,R;w2. Hence R; is transitive. Similarly one can show that R; is 
euclidean. 
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Thus we have the model IN = (§, Ri,..., Rn, [). By induction on the con- 
struction of w € sub(y) we will show now that for every assignment a 


I(w) E* Diff (90, w) —* v. 


The basis of induction, i.e., the case where ~ = P;(7,..., Tm) is clear; for then 
w = W. The induction step for = yA We, W = 741, and y~ = Vyr) follows 
by the induction hypothesis from the equations #1 A 2 = ¥1 A 2, w01 = 71, 
Vy = Vy. Let » = Kix(y) and assume that a(y) = (r, €). (If w is a sentence, 
y is any variable.) We then have: 


I(w) * Kix(y) 1 I(w) F* Prix(y) 
=o Kix(x) € r(w) 
3 Vu (wRyv > x(x) € r(v)) 
4 Vu (wRv > I(v) FE" X(y)) 
5 Vu (wRv > (M,v) E* x(y)) 
<6 (M, w) F* Kix(y). 


Equivalence =; holds by the definition of y; 2 and <4 are consequences of 
(1). The induction hypothesis yields 5, and <¢ holds by definition. The only 
non-trivial case is }3. 

(=3) Suppose Kyy € r(w) and wR;w’. So if w <; w’ the claim follows by 
Definition 6. If S = K or S = D then we are done, because R; =<;. 

Let S = KD45. By the definition of R;, we have either w <j} w’ or there 
exists v such that v <7 w, uv <j? w’ and du u <; v. The former case is 
easy; we leave it to the reader and consider the latter one here. We have some 
m € w and worlds vo,...,Um+4i such that vg = v, Um41 = w and vj <4 Vj41 
for every j < m. By Definition 6, (r(v;),r(vj+1)) is i-suitable for S whenever 
j < m. By Lemma 2, K;x(x) € r(vo) = r(v). Similarly, using v <7 w! we 
obtain worlds uo,...,wi41 such that uo = v, wi41 = w’ and u; <j uj41 for 
every j < 1. Again, (r(u;),r(uj41)) is i-suitable for S whenever 7 < J, and 
by Lemma 2, K;x(x) € r(uz). Using the same lemma once again, we obtain 
x(x) € r(ui41) = r(w’). (<3) is an immediate consequence of Definition 6. 
Other cases for S are treated analogously. 

Finally, let ~ = Cx(y) and a(y) = (r,€). Since the proof is similar to the 
foregoing one, we leave it to the reader. 


Thus, to prove completeness of our axiom system S, it suffices to construct 
an S-quasimodel satisfying y whenever vy is S-consistent. 


Lemma 3. Let $ = (€,t) be a pointed state candidate for :p such that Psy is 
S-consistent. 

(i) If ~Kiw € t, then there exists P’ = (€’,t’) such that PB ~; P’ andy Zt’. 
Moreover, if (t,c) € € for some constant c, then we can choose 8’ = (€’, t') with 
Bx; PB’ andw €t’ so that (t',c) Ee €. 
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(ii) If ~Cw € t, then there are pointed state candidates Bj; = (C;,t;), 7 < k, 
with Bo = B and 
Bo <i, Bi ~in +++ ~i, Br, 


for some i1,...,in <n, such that aw € ty. Moreover, if (t,c) € €, then we can 
choose such a sequence with (t;,c) € €; for all 7 <k. 


Proof. (i) follows from Lemma 1. So let us prove (ii). Suppose that such a se- 
quence does not exist. Let J be the minimal set of pointed state candidates such 
that 


= pty € T, 
— if 9, €T and D, ~<; De for some ts then Do € T. 


Let 0 = Vaocez7 Bo. Then Fs 0 > KV, for all i < n. Indeed, suppose otherwise. 
Then 0 A 7K, is S-consistent for some 7 < n. But then, by Lemma 1, 0 A 
=K;j 7x" is S-consistent for some pointed state candidate $’ ¢ T. This, however, 
contradicts the definition of T, since we would have D ~<; $8’ for some disjunct 
Be of 0. Hence kg 0 > Ev. Clearly, w € s for every (€*,s) € T, for otherwise 
we could construct a sequence satisfying condition (ii). Thus, Fs 0 — w and 
sokg J > E(w AW). By the inference rule for C we obtain Fs 3 — Cw, and 
so Fg B(x) — Cy, since P € T. But then Jy is S-inconsistent, which is a 
contradiction. 


We are in a position now to prove the main result of this section. 


Theorem 2. If S is one of the axiomatic systems defined above and y an S- 
consistent monodic formula, then ~ is satisfiable in a model based on a frame 


for S. 


Proof. In view of Theorem 1, it suffices to construct an S-quasimodel satisfying 
y. By Lemma 1, we can find a state candidate €* such that y A ae« is S- 
consistent. We are going to construct the required quasimodel as the limit of a 
sequence 

(Sm, Om) = (Wm, i neat Sh) Om) ) 


of basic S-trees, m € w. 

Let Wo = {w*} for some point w* and let oo9(w*) = €*. Suppose now that 
(lm Om) has been already defined. For every w € Wi,—Wm—1 we shall construct 
a number of new points ‘saturating’ om(w) (W_1 = 0). Let € = on(w), € = 
(T,T©”). Pick some t € T and do the following: 

(a) For every x = ~K,w € t we take two points a, and b,, add them to 
Wea, put-w <2" aya <P" by, and on¢ (ay) = oailb,) = @,.for-some 
€’ underlying a pointed state candidate %’ = (€’,t’) with (€,t) ~; 9’ and 
wy €t' (x). That such a $’ exists is guaranteed by Lemma 3. If (t,c) € T°” for 
some constant c, then we take for ¢’ the type s with (s,c) in €’. 


(b) For every x = —Cy € t we take two sequences ay,...,aX and by,..., bf 
and put 
m+1 01 m+1 m+1—_k m+1 721 m+1 m+1 zk 
MES Ogee OR AU Oy Ree eee Ba 
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and 
Om41(@3.) = Om4i(b) = @, for all j < k, 


where the (@ _t ) form a sequence of pointed state candidates with 
(€, t) <i Vere.) Sige Sap (or) 


and = € t*, Again Lemma 3 ensures the existence of such a sequence. If (t,c) € 
T°" for some constant c, then we take a sequence with (t’,c) from € for all 
j<h. 

In the same manner we consider the remaining types in TJ and then the 
remaining worlds v € Win — Wm—1. Wm+1 is defined as the (disjoint) union of 
W,, and the constructed new points. The relations </"t! coincide with </” on 
Wm. For the new points their extension is defined above. The function o41 
coincides with o,, on W,,, and is defined above for the new worlds. Thus we have 
constructed (in41,m-+1)- 

Finally, put ({,0) = ((W, <7?,...,<?),o), where 


We (Was, eer ie icone 


m<w m<w m<w 


It remains to show that ({,c) is an S-quasimodel. It should be clear that the 
functions r, are runs. So it suffices to show that, for all w € W and t from o(w), 
there exists a run r with r(w) = t. 

First, using Lemma 2 we find a sequence 


* 
Wo = Wo <i, W1 <ig 1° * <i, Wk = W 


and types t; from o(w;), 0 < 7 <k, such that t, = t and t;(@) A7Kj,, , 7tj41(2) 
is S-consistent for all 7 < k. 

Let r(w;) =t; and Vo = {wo,... , we+1}. Define by induction an increasing 
chain of sets V; D> W; with V; — W; C Vo, on which we define r. Suppose V,, is 
defined. For every w € W, — W,-1 with r(w) = t we do the following: 


— If ~Kiw € t, then take v © W,41 — Vn with w <; v and t’ from o(v) such 
that t A aK;7t’ is S-consistent and w ¢ t’. This can be done because we 
always took two saturating worlds in the construction above. Put r(v) = t’. 

— If -~Cw e€ t, then take a sequence v,,...,vzx from W,41 — Vz, such that 
W Sig U1, UL <i, +++ <ig_, Viz, and types t; from o(v;), 1 <7 <k, such that 

e (t,t1) is io-suitable for S, 

e (t;,t;41) is 1;-suitable for S,1 <j <k, 

ewe te. 
Again, this can be done since we always took two saturating sequences. Put 
r(v;) =t; for alll <j <k. 


Finally, we have to define r for all v © W,41 where r was not defined above. 
This can be done recursively as follows. Suppose r(v) is not defined yet for some 
v € Wr41. If r is defined already for the (unique) v’ such that v’ <; v, then take 
at from o(v) such that (r(v’),t) is i-suitable for S and put r(v) = t (t exists by 
Lemma 2). Otherwise consider first v’ itself. 

It is now straightforward to see that r is a run. 
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As a consequence we obtain: 


Theorem 3. Let S ¢ {K°,T°, KDG, K40, 94°, K D450, 95°} and let F be 
the class of frames for S. Then for every monodic formula y it holds that gs 
¢ iff p € 1i(F). 


5 Decidability 


Another important algorithmic feature of the monodic formulas is that if, roughly 
speaking, we restrict the underlying purely first-order formulas to a decidable 
class, then the resulting monodic fragments of the epistemic logics under con- 
sideration will also be decidable. In particular, we have the following: 


Theorem 4. Let F be any of the frame classes mentioned at the end of Section 2. 
Then the following fragments are decidable: 


— the monadic fragment of Li(F), 
— the two-variable fragment of L1(F), 
— the guarded fragment of L1(F). 


(Note, however, that the guarded fragment of L(F*) is undecidable.) For more 
details and an idea of the proof the reader is referred to [9,20]. Actually, no non- 
trivial decidable fragments of epistemic predicate logics have been constructed 
before. 

It maybe also of interest to note that these decidability results make it pos- 
sible to construct various decidable description logics with common knowledge 
and other epistemic operators applicable to concepts and formulas (but not to 
roles; see [19]). Weaker epistemic description logics were proposed in [6,12]. 


6 Adding Equality 


In this section we show that the addition of equality to the language of monodic 
formulas restores the ‘status quo,’ namely, that all the fragments considered 
above become non-enumerable. Let CLy be the language CL; extended with the 
equality symbol interpreted in first-order structures as identity. 


Theorem 5. Let F be any of the frame classes defined at the end of Section 2. 
Then the logic Ly(F) in the language CL] is not recursively enumerable. 


Proof. Define w to be the conjunction of the following CL; -formulas: 


V1 = daP(x) AVavy (P(@) \ Ply) > =y), 

2 = CVaVy (7Ki7P(2) AWKi7P(y) AaP(z) A>P(y) > @ = y), fori < 2, 
$s = -O-We (P(t) + -C-P(2)), 

wa = Va (ACaP(2) = CaCHP(2)), 

bs = Vir (Q(2) + -C5P(a)), 
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First we notice that for all models IN = (§,D,I) with ¥ = (W,R,...,Rn) 
and all w € W, if (Mt,w) K a then Q!™) is finite. Indeed, by 71, the set 
PI) ig a singleton. From 73 we get some w’ for which w(U,<, Ri)*w’ and 
w’ — Ve (P(x) — ~C-4P(zx)). Hence there are wo,...,Wm+1 € W such that 
Wo = W, Wm41 = w’ and for every 7 < m there is some i; < 2 for which 
wjR;,wj41 holds. In view of we, Pitt) — Pls)| <1 for every 7 <_m, which 
yields |P!(")| < m+ 1. Thus it remains to show that Q/() ¢ P!(”), Suppose 
a € Q'™). Then, by ys, w - 7C-P{a] and by w4 we obtain w EK CAC-P{al, 
from which w’ — P{a]. 

Second, we show that for every first-order sentence 9 containing neither P 
nor @ the following are equivalent: 


(a) @ is true in all finite first-order structures; 
(b) 2% — 6@ is valid in all frames in F. 


(Here 0° is the relativisation of 6 to Q, i.e., 0% = 0 if 6 is atomic, ? commutes 
with the booleans, and (Vx0,)@ = Va (Q(x) — 0@).) 

(a) => (b). Suppose there is a model 9 and a world w in it such that w - ¢ 
but w 4 02. Define a finite first-order structure J with domain E = Q!\) 
and predicates PZ = P. (™) AE. It can be easily shown by induction that for 
every formula x and every assignment a in E, we have J |" x iff w K* x. In 
particular, J |- 0. 

(a) < (b). Let us show first that for every natural number m > 0, there are 
Min = (Gm; Dm, Im) based on a frame Fp, € F® and w in §, such that |W| =m 
and w Ew. Put Wm = {wi,...,Wm}, wi Fw; whenever i # j, Dm = N, and 


Ry = {(we, We41) , (Wap, WE) rk <m & AL k = 21+ 1} VU {(wg, we) 2k < m}, 
Ro = {(we, We41) , (Wep1, WE) tk <m & Al k = 20} U {(we, we) 2k < m}. 


Finally, for each k < m, put P!(“*) = {0,...,k—1} and Q/(™*) = {0,...,m—1} 
(see Fig. 1). It is easy to see that the model is reflexive and euclidean, and 


WI E w. 


PYl={o} PY = {0,1} P%s = {0,1, 2} {0,...,m—2} {0,...,m—1} 
O O O O O 
Ri Re Ri 
W1 w2 W3 Wm-1 Wm 
Fig. 1. 


Now, to complete the proof, suppose that there is a finite first-order structure 
J with domain D such that |D| = m and J F @. Take the model 2, and the 
world w /£ w constructed above. Without loss of generality we can assume that 
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Qin) = D. Now expand MN, to a model MM, by interpreting each predicate 


symbol P; as follows: pine) = P, for each w’ € Wm. Now, for every first- 
order formula y (without P,Q) and every assignment a in D, we have J —* x 
iff (N,,,w) K* y®@. Therefore, (N’,,,w) KF 0°, and so wy — 6@ is not valid in F’® 
(which is contained in all our frame classes). 


It remains to recall that, by Trakhtenbrot’s theorem (see [4]), the set of first- 


order sentences that are valid in finite structures is not recursively enumerable. 


Acknowledgments. The authors would like to thank Nobu-Yuki Suzuki for his 
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ported by the Deutsche Forschungsgemeinschaft. 


References 


R.J. Aumann. Agreeing to disagree. The Annals of Statistics, 4:1236-1239, 1976. 


. M. Bacharach. The epistemic structure of a theory of game. Theory and Decision, 


37:7-48, 1994. 

A.V. Chagrov and M.V. Zakharyaschev. Modal Logic. Clarendon Press, Oxford, 
1997. 

H. Ebbinghaus and J. Flum. Finite Model Theory. Springer, 1995. 

R. Fagin, J. Halpern, Y. Moses, and M. Vardi. Reasoning about Knowledge. MIT 
Press, 1995. 

A. Graber, H. Biirckert, and A. Laux. Terminological reasoning with knowledge 
an belief. In A. Laux and H. Wansing, editors, Knowledge and Belief in Philosophy 
and Artificial Intelligence, pages 29-61. Akademie Verlag, 1995. 

J. Halpern and Yo. Moses. A guide to completeness and complexity for modal 
logics of knowledge and belief. Artificial Intelligence, 54:319-379, 1992. 

J. Hintikka. Knowledge and Belief: An Introduction to the Logic of Two Notions. 
Cornell University Press, 1962. 

I. Hodkinson, F. Wolter, and M. Zakharyaschev. Decidable fragments of first-order 
temporal logics. Annals of Pure and Applied Logic, 2000. 


. M. Kaneko and T. Nagashima. Game logic and its applications 1. Studia Logica, 


57:325-354, 1996. 


. M. Kaneko and T. Nagashima. Game logic and its applications 2. Studia Logica, 


58:273-303, 1997. 


. A. Laux. Beliefs in multi-agent worlds: a terminological approach. In Proceed- 


ings of the 11th European Conference on Artificial Intelligence, pages 299-303, 
Amsterdam, 1994. 


. W. Lenzen. Recent work in epistemic logic. Acta Philosophica Fennica, 30:1—219, 


1978. 


. D. Lewis. Convention. A Philosophical Study. Harvard University Press, Cam- 


bridge, Massachusets, 1969. 


. J. McCarthy, M. Sato, T. Hayashi, and S. Igarishi. On the model theory of knowl- 


edge. Technical Report STAN-CS-78-657, Stanford University, 1979. 


. J.J. Meyer and W. van der Hoek. Epistemic Logic for AI and Computer Science. 


Cambrigde University Press, 1995. 
F. Wolter. Fragments of first-order common knowledge logics. Studia Logica, 2000. 


344 Holger Sturm, Frank Wolter, and Michael Zakharyaschev 


18. F. Wolter and M. Zakharyaschev. Satisfiability problem in description logics with 
modal operators. In Proceedings of the sixth Conference on Principles of Knowledge 
Representation and Reasoning, Montreal, Canada, 1998. Morgan Kaufman. 

19. F. Wolter and M. Zakharyaschev. Modal description logics: modalizing roles. Fun- 
damenta Informaticae, 39:411—438, 1999. 

20. F. Wolter and M. Zakharyaschev. Decidable fragments of first-order modal logics. 
2000. 


Updates plus Preferences* 


José Julio Alferes and Luis Moniz Pereira 


Centro de Inteligéncia Artificial, Fac. Ciéncias e Tecnologia, Univ. Nova de Lisboa, 
P-2825-114 Caparica, Portugal, 
Voice: +351 21 294 8533, Fax: +351 21 294 8541 
jja,lmp@di.fct.unl.pt 


Abstract. The aim of this paper is to combine, into a single logic pro- 
gramming framework, the hitherto separate forms of reasoning of pref- 
erences and updating. More precisely, we define a language capable of 
considering sequences of logic programs that result from the consecutive 
updates of an initial program, where it is possible to define a priority re- 
lation among the rules of all successive programs. Moreover, within the 
framework, the priority relation can itself be updated. 

In order to define a declarative semantics for the language, we start by 
reviewing the declarative semantics of updates of [1], and by presenting 
a definition of a semantics for preferences, shown equivalent to the one 
in [5], in a form suitable for its integration with the updates one. 
Before the conclusions and mention of future work, we present two illus- 
trative examples of application of the framework. 


1 Introduction 


In recent times, there has been a spate of work on reasoning with preferences and 
also, but separately, another spate of work on knowledge updating, both of which 
in the logic programming context. This interest has followed in the wake of a more 
general examination of flexible and dynamic forms of non-monotonic reasoning 
within artificial intelligence (AI). The present writing aims at combining these 
two heretofore separate forms of reasoning, preferring and updating, again in the 
purview of logic programming. We shall show how they complement each other, 
in that preferences select among pre-existing models, and updates actually create 
new models. Moreover, preferences may be enacted on the results of updates, 
and updates may be pressed into service for the purpose of changing preferences. 

Forms of preference which have been intensely studied include specificity in 
taxonomic defaults, authority as well as temporal overriding in legal reasoning, 
priority of effect rules over inertia rules in causal reasoning, more likely faults in 
model-based diagnosis, preferred configurations in system synthesis, and scenario 
considerations in decision making. Many prioritized versions of existing non- 
monotonic formalisms have, already for some time, been developed, namely for 
circumscription, for hierarchical auto-epistemic logic, for default logic, for belief 
revision, and for abduction. In the case of logic programming (LP), research on 
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the topic of preferences is much more recent. Cf. [4,5] for additional motivation, 
comparisons, applications, and references. Here, we expressly adopt the stable 
models based semantic framework of Brewka and Eiter [5], though replacing it 
with an equivalent formulation to bring it in line with our own stable models 
based update framework, with which we enmesh it. Another paramount reason 
for this choice of preference semantics are the two desirable principles (cf. Section 
3) and the properties that semantics obeys, as spelled out by their authors. 


In what concerns updates, its significance for AI has long been the object of 
much study [14,9,7]. In the LP setting, the accomplishments in this topic have 
likewise been garnered at a much later date [1,6,11,13,12,15]. Herein we adopt 
the stable models based update framework of [1] for the purpose of expanding 
it with the aforesaid preferences one. Sample prototypical applications of LP 
updates have included legal knowledge evolution [2], modelling of actions [3], 
taxonomic inheritance [6], and software development. 


Preferences and updates are different forms of reasoning and serve different 
goals and applications. Preferences are used along with incomplete knowledge, 
when this is modeled with default rules. In such a setting, due to the incom- 
pleteness of the knowledge, several models may be possible. Preferences act by 
choosing among those possible models. A classical example is the birds-fly prob- 
lem, where the incomplete knowledge contains the rules that birds normally fly 
and penguins normally don’t. Given an individual which is both a penguin and 
a bird, two models are possible: one, using the one rule, where the individual 
flies; another, using the other more specific rule, where it doesn’t. Preferences 
among rules can then be used to choose which one. 


Updates are used to model dynamically evolving worlds. The problem arising 
here being, given a piece of knowledge describing the world, and given a change 
in the world (be it a rule or fact), how to modify the knowledge to cope with 
that change. The knowledge may itself be complete or incomplete: that’s not the 
key issue in updates; rather, the key issue is about the process of accomodating, 
in the represented knowledge, any changes in the world. In this setting it may 
well happen that change in the world contradicts previous knowledge, i.e. the 
union of the previous knowledge with the representation of the new knowledge 
has no model. It is up to updates to remove from the prior knowledge represen- 
tation a piece that changed, and to replace it by the new one. In this respect, 
mark well the distinction between update and revision of the knowledge, well 
broughtout e.g. in [14]. Whereas in the former knowledge changes due to changes 
in the world, in the latter incomplete knowledge is changed due to additional in- 
formation (further completing the knowledge) about a static world view. These 
processes are different, and lead to different results. For example, suppose that 
your knowledge consists of a single rule stating that you have a flight booked for 
London, that is either for Heathrow or for Gatwick. If new information, stating 
that it is not for Heathrow, arrives thereby completing this knowledge (e.g. a 
call from your travel agency, clarifying this issue), then you should conclude that 
the flight is booked for Gatwick. If, the same information (=~Heathrow) arrives 
due to a change in the world (e.g. you heard on the radio that all flights for 
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Heathrow have been cancelled), then you should not conclude now that your 
flight is booked for Gatwick. 

One way to look at revision is to consider any prior rules as defeasible, add the 
new knowledge to the previous one, and assign preference to this new knowledge 
over the old one (revision as chronological preference). This stance is justifiable 
in revision: our knowledge is incomplete; to make it less incomplete, when some 
new information arrives it should be given preference over the previous. But 
a similar rationale makes little sense in updates. Suppose that at some point 
we know that normally quakers are pacifists, and that the republican Nixon is 
a quaker. Forthwith we can conclude that Nixon is a pacifist. Now something 
happens in the world so that republicans tend to be belicists. A new rule, stating 
that normally republicans are belicists, is added as an update. What should we 
conclude about Nixon? In our opinion, nothing different from a situation where 
both rules are given at the same time: for Nixon, there is a conflict, and two 
models exist - one where he is considered pacifist, and the other where he isn’t. 
It may well happen that, given the conflict among such defeasible rules in our 
incomplete knowledge, one may want to give preference to the quakers-pacisfist 
rule over the other rule. 

In many real applications one is bound to have just incomplete knowledge 
about the world, default rules, and may want to be able to deal with a dynami- 
cally evolving world, where these rules may change in time. In such a situation 
preferences may be needed to choose among various possible models of the world, 
whereas updates are needed to deal with the knowledge on the evolution of the 
world. In this evolution, preferences themselves may change in time. Thus, a 
combination of both reasoning forms into a single framework is needed. 

Consider the following example, where default rules as well as preferences 
change over time, which requires a combination of preferences and updates, 
including the updating of preferences themselves. 


Example 1 (A sad story). (1) In the initial situation I am living and working 
everyday in the city. (2) Next, as I have received some monies, I conjure up other, 
alternative but more costly, living scenarios, namely travelling, settling up on 
a mountain, or living by the beach. And, to go with them, also the attending 
preferences, but still in keeping with the work context, namely that the city 
is better for that purpose than any of the new scenarios, which are otherwise 
incomparable amongst themselves. (3) Consequently, I decide to quit working 
and go on vacation, supported by my increased wealth, and hence to define my 
vacation priorities. To wit, the mountain and the beach are each preferable to 
travel, which in turn gainsays the city. (4) Next, I realize my preferences keep 
me all the while undecided between the mountain and the beach, and opt for the 
former. (5) Forthwith, I venture up the mountain, only to become ill on account 
of the height, and a physician advises me against too much sun exposure, be it 
at the mountain or the beach level. (6) So, I update my knowledge regarding 
health, and my concomitant priorities, and thus travel becomes the choice par 
excellence. (7) I finally run out of money for travel and return, still ill, to the 
city, cannot work, and continue my sad vacation there. 
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Despite their differences, the preference and the update LP approaches we 
adopt are also similar, in that both can be envisaged as wiping out rules. In 
the preference setting, one wipes out less preferred rules in order to select only 
some among the available stable models. In the update setting, one wipes out 
rules that are overruled by new rules, thereby engendering new models, including 
cases when there were none before the update took place. Looking at both in 
a similar way facilitates their coming together under one same framework. For 
preferences it makes all the sense to employ some (strict) but partial order 
on rules, for there are cases where one wishes to allow incomparable rules to 
defeat but not wipe out one another. For updates, a linear temporal order is 
employed, and alternative results may be obtained via distinct but nevertheless 
linear updating sequences, to produce a tree. A root node always exists, if need 
be the initial empty program. 

The sequel is organized as follows. First, we recap the fixpoint semantics of 
updates, which relies on erasing rules rejected by an update. Second, we define 
a fixpoint semantics for preferences which resorts to erasing unpreferred rules. 
Third, on the basis of these, we proffer a joint fixpoint semantics for both updates 
and preferences. Finally, conclusions and future work are brought out. 


2 Dynamic Logic Programs 


In this section we recall the framework of Dynamic Logic Programming (DLP) 
[1] that, as motivated above, can be used to model the evolution of logic program 
through sequences of updates. 

To represent negative information in logic programs and their updates, DLP 
allows for the presence of default negation in rule heads!. 


Definition 1 (Generalized logic program). A generalized logic program in 
the language L is a finite or infinite set of ground rules r of the form: 


Lo — Iy,..., Im. n>0 


where each L; is a literal in £ (i.e. an atom or a default literal not A where A is 
an atom). By head(r) we mean Lo, by body(r) the set of literals {L1,..., Ln}, by 
bodypos(r) the set of all atoms in body(r), and by bodyneg(r) the set of all default 
literals in body(r). We refer to bodypos(r) as the prerequisites of r. Whenever L 
is of the form not A, not L stands for the atom A. 


The semantics of generalized logic programs is then defined as a general- 
ization of the stable models semantics [8]. First note that, instead of using the 
fixpoint operator (MM), one may take default literals in rule bodies as new 
propositional variables, add a fact not A for every A ¢ M, and then compute 


' See [1] for an explanation on why default negation is needed in rule heads, rather 
than explicit negation. Note that a default negated atom in a rule’s head means that 
the atom should no longer be assumed true, whilst an explicit negated atom would 
mean that the atom should become false. In an update context this difference is 
similar to the difference between deleting a fact and asserting its complement. 
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the least model of the resulting definite program. It is easy to check that the 
resulting set of atoms, not of the form not A, will be exactly the same as in 
I'(M). Moreover, for every fixpoint of (MM), A ¢ M iff all rules of the program 
with head A have a false body in M. Thus, if one is only interested in fixpoints, 
instead one may add not A for just every A having no rule with a true body in 
M. This approach views stable models as deriving not A for every atom A which 
is not “supported” in the program by the model. 

Now, since one can have default literals in rule heads, there are more ways of 
deriving them. But the previous one remains. This is the basic intuition behind 
the definition of stable models for generalized programs: given a model M, first 
add facts not A for every A with no rule with true body in M; M is a stable 
model if the least model obtained after such additions coincides with M, where 
M has been enlarged with new propositional variables not A for every A ¢ M. 


Definition 2 (Default assumptions). Let M be a model of P. Then: 
Default(P,M) = {not A | Ar € P: head(r) = AA M § body(r)} 


Definition 3 (Stable Models of Generalized Programs). A model M is a 
stable model of the generalized program P iff M = least(P U Default(P, M)) 


For normal programs, this definition is equivalent to the original definition of 
stable models [8]. As shown in [1], it also coincides with the semantics presented 
in [10] when the latter is restricted to the language of generalized programs. 


In DLP, sequences of generalized programs P, @...@ P,, are given. Intuitively 
a sequence may be viewed as the result of, starting with program P,, updating 
it with program P32, ..., and updating it with program P,,. In such a view, 
dynamic logic programs are to be used in knowledge bases that evolve. New 
rules (coming from new, or newly acquired, knowledge) can be added at the end 
of the sequence, bothering not whether they conflict with previous knowledge. 
The role of dynamic programming is to ensure that these newly added rules are 
in force, and that previous rules are still valid (by inertia) as far as possible, i.e. 
they are kept for as long as they do not conflict with newly added ones. 

The semantics of dynamic logic programs is defined according to the rationale 
above. Given a model M of the last program P,,, start by removing all the rules 
from previous programs whose head is the complement of some later rule with 
true body in M (i.e. by removing all rules which conflict with more recent ones). 
All other persist through by inertia. Then, as for the stable models of a single 
generalized program, add facts not A for all atoms A which have no rule at all 
with true body in M, and compute the least model. If M is a fixpoint of this 
construction, M is a stable model of the sequence up to Py. 

Other possible views on and usage of DLP, justify slight generalizations of the 
above informally described language and semantics. In general, the distinguished 
programs represent knowledge true at some state s, where different states may 
stand for different stages of knowledge in the linear evolution of the knowledge 
base (as above), but also for different time points in possible future evolutions of 
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the knowledge, or even for knowledge of ever more specific objects organized in 
a hierarchy. In the latter case, each program contains the rules that are specific 
to the object under consideration, and rules from programs above in the hier- 
archy are inherited just as long as they do not conflict with the more specific 
information (for more on this stance see [6]). These other views justify a tree-like 
structure of programs (rather than a sequence), and also that dynamic programs 
can be queried at any state, rather than only at the last one. 


Definition 4 (Dynamic Logic Program). Let S be an ordered set with a 
smallest element so and with the property that every s € S other than so has 
an immediate predecessor s —1 and that so) = s —n for some finite n. Then 
@{P; : i € S} is a Dynamic Logic Program, where each of the P;s is a generalized 
logic program. 


Definition 5 (Rejected rules). Let O{P; : i € S} be a Dynamic Logic Pro- 
gram, let s € S, and let M be a model of P,. Then: 
Reject(s,M) = {r € P, | dr’ © Pj, head(r) = nothead(r’)\ i<j<sA 
M § body(r’)} 


To allow for querying a dynamic program at any state s, the definition of 
stable model is parameterized by the state: 


Definition 6 (Stable Models of a DLP at state s). Let O{P, :i € S} be 
a Dynamic Logic Program, let s € S, and let P = U,-, Pi. A model M of Pz is 
a stable model of @{P; :i € S} at state s iff: 7 


M = least([P — Reject(s, M)|U Default(P, M)) 


It is clear from the definitions that stable models of dynamic programs are 
a generalization of stable models of generalized and normal programs, i.e. if the 
dynamic program consists of a single generalized (resp. normal) program then its 
semantics is the same as that of the stable models of generalized (resp. normal) 
programs. It is also shown in [1] that dynamic logic programs generalize the 
interpretation updates of [11]. 

In [1] a transformational semantics for dynamic programs is also presented. 
According to this equivalent definition, a sequence of programs is translated into 
a single generalized program (with one new argument added to all predicates) 
whose stable models are in one-to-one correspondence with the stable models of 
the dynamic program. This transformational semantics is the basis of an existing 
implementation of dynamic logic programming?. 


3 Preferred Stable Models 


In this section we recall the preferences approach of [5], and set forth a def- 
inition of preferred stable models for generalized logic programs (rather than 


? Publicly available from: http://centria.di.fct.unl.pt/~jja/updates/ 
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for extended logic programs as in [5]) in a form suitable for integration with 
the above described updates. In [5], logic programs are supplied with priority 
information, given in the form of a strict partial ordering on program rules’. 


Definition 7 (Prioritized generalized logic program). Let P be a general- 
ized program and let < be a strict partial order over the rules of P, where r, < rg 


means r1 is preferred to rz. Then (P,<) is a prioritized generalized program’. 


Intuitively, the priority information is used to prefer among the various stable 
models of the program. The question here is what stable models to prefer in the 
face of a given priority relation among rules. To respond to this question, the 
authors in [5] start by formulating two principles all preference system should 
satisfy. The first (Principle I), is envisaged as a minimal requirement for pref- 
erence handling, and states that if a stable model M, is generated by a set of 
rules? RU {r;}, and another stable model Mp2 is generated by RU {rz}, where 
r1,r2 ¢ R, then, if r1 < re, M2 cannot be preferred. The second (Principle 
IT), captures a notion of relevance. It affirms that adding a rule which is not 
applicable in a preferred model can never render this model unpreferred. 

With these two principles in mind, [5] defines a criterion for preferring among 
stable models, given a priority relation on rules. Their basic idea is that a stable 
model M can only be preferred if, for each rule in the program, whenever its 
(positive) prerequisites are true in / and its head is false in M, then there must 
be some not A in its body which is false in M, and there is a more preferred rule 
generating A. Ie. for a rule with true prerequisites not to be applied, there must 
be a more prioritary rule preventing its application. 

Before presenting our equivalent definition of preferred stable models, let us 
first briefly review the formal definition of preferred answer sets of [5] specialized 
for the case where the program is ground. A preferred answer-set is a model 
of the program simultaneously satisfying two conditions: it must be a stable 
model (i.e. be a fixpoint of the I Gelfond-Lifschitz operator); it must satisfy a 
fixpoint equation which, intuitively, guarantees that the rules are being applied 
in observance of the partial order, i.e. that the criterion described above is met. 

Adopting the view that rules are applied one at a time, a partial ordering on 
rules should be viewed as a representative of all its possible refinements into to- 
tal orderings. These, defined in [5], are dubbed full prioritizations of prioritized 
programs. A program is said fully prioritized if it coincides with its single full 
prioritization. The fixpoint construction guaranteeing that rules of a fully prior- 
itized program are applied in the correct order is carried out in two steps. First, 
all (positive) atoms in the body are preprocessed away on the basis of their truth 


3 For a comparison with approaches ordering atoms rather than rules see [5]. 

* Note that, in contradistinction to [5], our priority relation is defined for ground 
programs. To define the relation directly on non-ground programs, the methodology 
given in [5], using well-orderings, could just as well be applied to our case. However, 
for simplicity, we will not consider it in this paper. 

> The set of rules that generate a stable model is made up of all the rules in the 
program whose body is true in the stable model. 
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value in the model. More precisely, this so called dual Gelfond-Lifschitz reduc- 
tion “R is obtained from FR by first deleting every rule having a prerequisite A 
such that A ¢ M, and then removing from the remaining rules all prerequisites. 
All bodies of rules now exhibit only default literals. 

The correct order of applying rules is then checked in the thus obtained prere- 
quisite-free program. Informally, this is achieved by, following rule order, adding 
the heads of those rules that are not defeated by a rule having higher priority 
(whose head has been added). Formally: 


Definition 8 (Defeating of rules). A rule r is defeated by a set of literals S 
iff J not A € body(r): AES. 


Definition 9 (Cz operator [5]). Let R = (P,<) be a prerequisite-free fully 
prioritized logic program, and let M be a set of ground literals. Cr(M) is the least 
fixpoint of the sequence Sq (where a ranges over the rules of the fully prioritized 
P, according to their (total) ordering): 


Us<a 58 if rq is defeated by Use, Sa or 
Sa = Tq is defeated by M and head(ra) € M; 
Usa 9a U {head(ra)} otherwise 


Definition 10 (Preferred Answer Set). Let R = (P,<) be a prioritized logic 
program and let Rr = (P,<y) be a full prioritization of R. A model M of P is 
a preferred answer set of R iff M =Ip(M) and M =Cur,(M). 


As motivated in the Introduction, and in order to facilitate the capture of 
both preferences and updates in one single framework, it is our goal in this 
section to devise a declarative semantics for prioritized generalized programs 
based on the removal of (less preferred) rules, inasmuch our update framework 
hinges likewise on the removal of rules; this maneuver is crucial for fusing the 
two. Moreover, we require this semantics to coincide with the one in [5] on normal 
programs. The main issue in so doing rests in determining criteria for which rules 
to remove, in order to obtain exactly the same semantics. Before presenting 
its definition, we begin by reporting, with small but illustrative examples, on 
the problems involved in finding them®. Like in [5], we start with the case of 
prerequisite-free programs. 


Example 2. Consider the program: (1) a <— notb (2) b— nota, where 
rule (1) is preferred over rule (2). Its stable models are M, = {a} and M2 = {b}, 
the preferred one being Mj. Intuitively, since (1) < (2) and the head of rule (1) 
defeats (2), in order to obtain the preferred stable model, one should remove 
rule (2). Indeed, M; is the single stable model of the program after the excision. 


° This account is important here because for lack of space, the proof of equivalence 
with [5] does not fit. The problems depicted below form the core issues dealt with 
by the proof. 
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Mark that the reasoning brought out in this example concurs with the defi- 
nition of the Cz operator. According to it, the head of a rule is not added if the 
rule is defeated by the previously constructed set. But this set is formed precisely 
by the heads of the more preferred rules. Instead of not adding the head to the 
set, the same effect can be achieved by removing the rule, i.e. by removing all 
rules defeated by the head of a more preferred rule, which has not itself in turn 
been removed. 


Example 8. Consider now: (1) b — note (2) c¢ — notd (3) a — notb 
(4) b — nota, where a rule (i) is preferred over rule (j) iff ¢ < j. Its stable 
models are M; = {a,c} and Mz = {b,c}. According to Principle I above, since 
M, is generated by rules (2) and (3), and M2 by rules (2) and (4), M2 should 
not be preferred. But, resorting to the reasoning explained above, rule (3) is 
removed (as it is defeated by the head of rule (1)), and the only stable model of 
the resulting program becomes Mp. Why shouldn’t rule (1) remove (3)? Because 
rule (1) is defeated in whichever model. This is in line with Definition 9 (2nd 
line of S,,) where heads of rules true in the model, whose body is defeated by the 
model, are not added to the set. Accordingly, given some model, all such rules 
are removed. Hereafter, we refer to them as “unsupported rules”. 

Consequently, in model M2 rule (1) is removed, as well as rule (4) (the latter 
is defeated by the head of the more preferred and non-removed rule (3)). And 
Mz is not a stable model of the program after those rules are withdrawn. 


The two above criteria for deleting rules (viz. deleting less preferred rules 
defeated by the head of some more preferred rule, and deleting “unsupported 
rules”) concur with the definition of the Cr operator. However, as evidenced by 
the example below, they are not enough. 


Example 4. Consider now: (1) a<—notb (2) b<— note (1) < (2), 
whose only stable model is M = {b}, which according to [5] is not preferred. This 
is so because rule (1) is neither unsupported (a is not true in M) nor defeated 
by a more preferred rule, so a is added in the construction of Cr(M), and M 
cannot thereafter be a fixpoint of the operator. However, using only the two 
above criteria none of these two rules is eliminated, and M would be preferred. 


To obtain the effect achieved by [5], one must guarantee that, in spite of rule 
removal, a is enforced in the preferred models of the reduced program. This is 
accomplished by removing any rules less preferred than the one for a, which, if 
otherwise were not removed, would cause a not to be in the preferred models. In 
other words, one is required to remove all rules having true body in the model, 
whose heads defeat a more preferred rule. Mark well that if the body of the 
less preferred rule is not actually true in the model, then the defeating is only a 
potential but not effective one, and the rule must not be eliminated. Indeed, its 
preservation will permit it to defeat, and cause to remove, rules less preferred 
than itself even if they attack it. When considering programs with prerequisites, 
one must further insist that the more preferred rule is not deleted by the dual 
reduct transformation. This is ensured by verifying that the positive part of the 
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body of the more preferred rule is actually true in the model. A similar reasoning 
applies to the other two criteria explained above. These three criteria suffice for 
formalizing, in Definition 12, the set of unpreferred rules. 


Definition 11 (Unsupported rules). Let M be a model of P. Then: 
Unsup(P, M) = {re P:M FE {head(r)} U bodypos(r) A M  bodyneg(r)} 


Definition 12 (Unpreferred rules). Let M be a model of P. The set of unpre- 
ferred rules, Unpref(P, M), is the least set of rules that includes Unsup(P, M), 
and every r in P such that: 


r’ € P—Unpref(P,M):1r' <rAM § bodypos(r’) A 
[not head(r’) € bodyneg(r) V (not head(r) € bodyneg(r’) AM - body(r)) | 


Lack of space prevents us from showing that such a least set always exists. 
Indeed, it can be contructed by iterating the definition of unpreferred rule ac- 
cording to rules’ ordering, starting from the set of unsupported rules. 

For programs with positive atoms in rule bodies, the effect of the dual re- 
duction operation of [5] is obtained by adding to the program facts not A for 
every A with no rule in the original program with true body in the model, and 
thereafter computing the least model. 


Definition 13 (Preferred Stable Models). A model M of program P is a 
preferred stable model of the prioritized generalized program (P,<) iff: 


M = least([P — Unpref(P, M)] U Default(P, M)) 


This guarantees that the preferred models obtained after removing all un- 
preferred rules are also stable models of P, and so only one fixpoint equation is 
needed in this definition, as desired. Verily: 


Proposition 1. Let M be a preferred stable model of (P,<). Then M is also a 
stable model of P, i.e. M = least(P U Default(P, M)). 


Now, as expected, as this was one of our primary goals for the definition of 
preferred stable models, in programs where both the preferred answer sets of [5] 
and our preferred stable models can be applied (i.e. in normal programs), their 
results coincide. For an extensive study of the properties of preferred answer-sets, 
its intuitions, examples, and comparisons with related approaches see [5]. 


Theorem 1. Let P be a ground normal logic program, and let < be a strict 
partial order over the rules of P. M is a preferred stable model of (P,<) iff M 
is a preferred answer-set of (P,<) in the sense of Brewka and Eiter [5]. 
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4 Updating Logic Programs with Preferences 


Having separately defined both updates and preferences in an analogous way, in 
this section we combine both concepts into an unified framework. Moreover, as 
motivated in the Introduction, the combined framework must also allow for the 
updating of the priority relation itself. 

Leaving, for now, the issue of updating the priority relation, we must consider 
sequences of generalized programs P, ©...@P, , viewed as sequences of updates 
of an original program, plus some priority relation among rules. One first basic 
question is in order: where to define the priority relation? Among the rules for 
the same program? Or among rules in the union of all programs in the sequence? 
More formally, should there be a strict partial order <; for each of the P; in the 
sequence, or should there be a single strict partial order < defined over the rules 
of Ujeg Pi? Clearly, the latter approach is more general than the former: it does 
not prevent limiting the priority relation to rules in the same P,, while the former 
does prevent priority relations between rules from different P;s. Furthermore, the 
extra generality is useful. For instance, in the situation of Example 1, one may 
want to say at a given state that I go to the beach unless I go to the mountain, 
and later say that I go to the mountain unless I go to the beach, and establish a 
priority over these rules. Note that the rules were introduced at different update 
stages, and so the priority relation is to be established between rules of different 
P;s. Accordingly, in our framework we consider a single priority relation defined 
on the rules of Lie g P, which can evolve as new rules are introduced. 

To cope with the possibility of updating the priority relation, it cannot be 
fixed. Rather it must be described in some language that allows for the possi- 
bility of its evolution, via updates. One such language is precisely DLP and, for 
uniformity, that is what is used in our framework. Thus, instead of a sequence 
of programs representing knowledge, we have a sequence of pairs: of programs 
representing knowledge, and of programs describing the priority relation among 
rules of the knowledge representation. In general, an update of the priority rela- 
tion may depend on some other predicate (e.g. in Example 1, I may want to say 
that, if I have to work, then I prefer the rule advising me to stay in the city). To 
permit this generality, we allow rules in programs describing the priority relation 
to refer to predicates defined in the programs that represent knowledge. 


Definition 14 (Dynamic Prioritized Programs). Let P = {P,:s € S} be 
a dynamic logic program whose alphabet does not contain the strict partial order 
arity 2 predicate symbol <, and let R = {R,: 5 € S} be another dynamic logic 
program whose alphabet contains at least the predicate symbol <, and whose sets 
of constants includes all the rules in the union of all Ps in P. Then Q{(Ps, Rs) : 
s © S} is a Dynamic Prioritized Program. 


Given the very deliberate definition forms of the semantics of preferences and 
of updates, it is not difficult to combine both in a single one, as per the above 
delineated framework. Given a model M of the last program in the sequence 
(or, in the general setting, of the program state we want to query), for testing 
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stability we have first to remove all the rejected rules according to updates, and 
then all the unpreferred rules according to preferences. Note, however, that if 
both sets of rules (rejected and unpreferred) were removed simultaneosly, then a 
rule which is rejected by an update, might serve for unprefering some other rule. 
This would lead to counterintuitive results. In fact, updates have precedence 
over preferences. If a previous rule is invalidated by a subsequently introduced 
rule, then the former should no longer be available in the preferences setting. 
Accordingly, the set of unpreferred rules must be determined on the basis of the 
program obtained after removing those rules rejected by any updates. In general, 
the union of all programs in the sequence may be inconsistent, and it would make 
no sense to apply preferences to this inconsistent set of rules; updates are applied 
first (by rejecting rules) and allow you to come up with a consistent set of rules; 
preferences then intervene to choose among the various models of that consistent 
set of rules. 

Since the priority relation is itself defined by the dynamic prioritized program, 
models must also take into account the < predicate, i.e. one has to entertain mod- 
els of the union of P,, with R,. Moreover, in the definition of unpreferred rules, 
the priority relation must be checked in regard to the model under consideration: 


Definition 15 (Unpreferred rules). Unpref(P,M) is the least set of rules 
including Unsup(P, M) and rules r in P such that: 


r'e P—Unpref(P,M):M Er’ <rAM E bodypos(r’) A 
[not head(r’) € bodyneg(r) V (not head(r) € bodyneg(r’) A M E body(r)) | 


In the definition of preferred stable model, it is crucial that the priority re- 
lation be a strict partial order (i.e. irreflexive and transitive). In our framework, 
since the user can write any rules for describing predicate <, it may well happen 
that its extention be a relation not complying with those properties. The defi- 
nition of the semantics must prevent this being the case, i.e. must only consider 
models where the extension of predicate < is indeed a strict partial order. Thus: 


Definition 16 (Preferred Stable Models at state s). Let Q{(Fi, Ri) : 
i € S} be a Dynamic Prioritized Logic Program, let s € S, and let PR = 
Uies (Pi UR;). A model M of P,U R, is a preferred stable model at state s iff: 


—Vr:i(r<r)¢M and Vri,1r2,73: {11 < 12,72 <1r3} CM => (11 < 13) € M 
— M =least( [PR — Reject(s, M) — Unpref(PR — Reject(s,M), M)] 
U Default(PR, M) ) 


This definition makes it clear that dynamic prioritized programs generalize 
both dynamic logic programs and prioritized logic programs. In fact, if all the 
R;s are empty, then Definition 16 is clearly equivalent to Definition 6. And if 
there is a single pair (P,R) in the sequence, then Definition 16 is equivalent 
to Definition 13, the priority relation of the prioritized program being the least 
model of R. We now illustrate the overall framework with two examples: 
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Example 5. The first 4 stages in the “sad story” of Example 1 can be modelled 
by the dynamic prioritized program (P,, Ri) ®...®(P1, R4) (where, for simplic- 
ity, we adopt unique numbers for rules, instead of the rules themselves in the 
priority relation, and where c stands for “living in the city”, mt for “settling on 
a mountain”, b for “living by the beach”, ¢ for “travelling”, wk for “work”, vac 
for “vacations”, and mo for “possessing money” ): 


P,: (1) c— not mt, not b, not t Ri X <YeiX<Z4,2<Y 
(2) wk — Ry: (1) < (4) — wk 
(3) vac — not wk (1) < (5) — wk 
Pz: (4) mt — not c, not b, not t,mo (1) < (6) — wk 
(5) b<— not mt,notc,nott,mo R3: (4) < (6) — vac 
(6) t — not mt, not b, not c, mo (5) < (6) — vac 
(7) mo— (6) < (1) — vac 
P3 : (8) not wk — 
Be Ra: (4) <(6) 


For example, the only preferred stable model at state 4 is: 
{mt, vac, mo, (4) < (5), (4) < (6), (4) < (1), (5) < (6), (5) < (1), (6) < (1)} 


and the preferred stable models at state 3 are two: 


{mt, vac, mo, (4) < (6), (4) < (1), (5) < (6), (5) < (1), (6) < ()} 
{b, vac, mo, (4) < (6), (4) < (1), (5) < (6), (5) < (1), (6) < C)} 


Note in this example how the inertia of the transitivity rule (added in R;) 
enforces transitivity on the priority relation in all the subsequent states. 


Example 6. Consider the following situation (adapted from an example of qual- 
itative decision making in [5]). You want to buy a car and, for that purpose, you 
have collected the following information about different types of cars: safe(volvo), 
fast(chevrolet), expensive(chevrolet), safe(chevrolet), and fast(porsche). 
Let’s assume you like fast cars, and your budget does not allow you to purchase 
an expensive one. Moreover, you cannot afford more than one car. 

This situation can be modelled by P; which, besides the facts above, has”: 

(1) not buy(X) — avoid(X) 

(2) avoid(X) — not buy(X), expensive(X) 
(3)  — buy(X) — not avoid(X), fast(X) 
(4) avoid(Y) — fast(X), buy(X), Y AX 


See [5] for an explanation on how to come up with this program given the 
described situation, in particular the need for rule (4) in modelling the fact 
that you may not buy two cars®. Since there is not much you can do with your 


” Rules with variables simply stand for their (finite) ground instances. 

5 In fact, the coding of this piece of knowledge by itself is not related to updates, 
and the rules above are just those present in [5] where —buy(X) is here replaced by 
avoid(X), and (1) encodes the relation between these two predicates. 
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restricted budget, rule (2) has priority over rules (3) and (4). So Ry = {(2) < 
(3), (2) < (4)}. 

The reader can check that the only preferred stable model of (P,, Ri) in- 
cludes {buy(porsche), avoid(volvo), avoid(chevrolet)}, besides the facts and the 
priority relation, and you should buy the Porsche. 

Now your “significant other” insists that you should consider buying a safe 
car. Moreover, as a gentleperson, you ascribe priority to your partner’s sugges- 
tion. To assimilate this new information you update your knowledge with: 

P2:(5) buy(X) — not avoid(X), safe(X) 
(6) avoid(Y) — safe(X), buy(X), Y AX 
and Ro = {(5) < (3),(5) < (4), (6) < (3),(6) < (4), (2) < (5), (2) < (6)}. Now 
the only preferred stable model (at state 2) includes buy(volvo), avoid(porsche) 
and avoid(chevrolet), and you should buy the Volvo instead. 

Now suppose you discover Volvos are out of stock, and so you cannot buy 
one so soon. For that you add P3 = {not buy(volvo)}, plus an empty R3. With 
this new update, rule (5) is now rejected, and the only stable model at state 3 
this time includes {buy(porsche), avoid(volvo), avoid(chevrolet)}. 


5 Conclusions and Future Work 


We have motivated the need for coupling preferences with updates, and shown 
how to accomplish it within the logic programming paradigm. We did so by 
devising a unified framework that combines the hitherto separate approaches to 
each aspect, and allows for preferences themselves to be updated. The framework 
coincides with [5] when a single program is given in the sequence, and with [1] 
when the preference relation is empty. Thus, for comparisons of this framework 
with others with preferences alone see [5], and for that with others with updates 
alone see [1]. 

To the best of our knowledge, [15] is the only work considering some combi- 
nation of preferences and updates. However, the generality of the combination 
of both reasoning mechanisms in [15] is far from that of the present paper. In 
fact, [15]’s concern is with updates alone, and mainly considers the process of 
updating one program by another program, with mechanisms similar to those 
of [1] (i.e. removing rules from the initial program which “somehow” contradict 
rules from the update program, and retaining all others by inertia). Addition- 
ally, at the end, all rules from the update program are given preference over all 
retained rules of the initial program. No other preference ordering is considered 
there. And, as argued in the Introduction, updates alone do not necessarily force 
such preferences. In our framework, the user can state that more recent rules are 
preferred over older ones, but is also free to state differently. Moreover, in our 
framework the preference relation itself can be updated. The greater generality 
of our approach stems as well from our usage of [1] as the basis for updates. In 
fact, note that [1] considers arbitrary sequences of updates whereas [15] simply 
considers the update of one program by another. In [15] some semantical prop- 
erties of their system are investigated. However, all such properties address only 
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updating, and not some combination of it with preferences. It remains to be 
studied what generic principles any system combining preferences and updates 
(not necessarily in logic programming) should comply with. Those principles 
would help the comparison with [15] and possible other systems. Such generic 
study, and the verification of the principles in our framework, is work we are 
now developing. 

Several other topics cry out for subsequent development. First, we are work- 
ing on a transformational semantics of preferences into logic programs, to be 
coupled with the extant aforementioned one for updates. This will readily pro- 
pitiate an implementation of the overall framework, as well as serve as a basis 
for the study of its computational properties. 

An outstanding issue, on which some effort needs deploying, concerns how 
to automatically ensure irreflexivity and transitivity of the partial order, as it 
is being updated. For the moment this responsibility is wholly relegated to the 
updater. As it stands, in case of infringement there will simply be no model, 
as per Definition 16. It is in our plans to study the adequacy of the update 
mechanism on rules for predicate < so as to automatically guarantee irreflexivity 
and transitivity. In this respect, note in Example 5, how transitivity is always 
guaranteed by adding one rule to the initial program. 

Finally, we also intend to explore application areas such as e-commerce, legal 
reasoning, and rational agents. They will certainly provide valuable opportunities 
and hints for the evolution of the topics broached in this paper. 
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Abstract. In this paper we show how several different semantics for be- 
lief update can be expressed in a framework for reasoning about actions. 
This framework can therefore be considered as a common core of all these 
update formalisms, thus making it clear what they have in common. This 
framework also allows expressing scenarios that are problematic for the 
classical formalization of belief update. 


1 Introduction 


Belief update and reasoning about actions are two well studied areas of research 
about the evolution of knowledge over time. The similarities between these two 
fields have already been pointed out by some researchers: for example del Val 
and Shoham [4] use a theory of action to derive a semantics for belief update; Li 
and Pereira [8] use a Ginsberg-like semantics for updating a theory of actions. 

In this paper we present a very simple action description language [6] with 
narratives that allows expressing several different update semantics. The basic 
principles of this language has already been investigated in the literature. Indeed, 
the basic semantics of this language can be seen as a proper restriction of the 
language £ by Baral et al. [1]. What is new in this paper is not the language 
itself, but rather the way it is able to express update semantics. 

To introduce the language, we consider an example similar to the evergreen 
Yale Shooting Problem. 


initially Loaded 

initially Alive 

Alive holds at 3 

Shoot happens at 2 

Unload causes —Loaded 

Shoot causes —Alive if Loaded 


Short explanation of the syntax: at time 0 Fred is alive, and the gun is 
loaded. Fred is still alive at time 3. This is the meaning of the initially and 
holds at propositions. The last two propositions specify the effect of actions: the 
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action Unload causes the gun to be loaded no longer, while the action Shoot 
causes Fred to die, if the gun is loaded. 

According to the original semantics of the basic action description language 
A [6], this domain description is inconsistent. This can be intuitively explained 
as follows: at time 0 the gun is loaded. Since nothing happens between time 0 
and 2, the gun remains loaded. As a result, the effect of shooting at Fred at time 
2 causes him to die, since the gun is still loaded. 

Such inconsistent scenarios are very common in the field of belief revision 
and update. Suppose for example we have loaded the gun at time 0. Then, we 
have done nothing modifying the domain of interest (e.g. we go out for a walk, 
we have a nap, we just do nothing at all, etc.) When we shoot the gun, Fred does 
not die. This is surprising, since we expected the gun to be still loaded. However, 
it is very easy to find an explanation: someone unloaded the gun while we was 
not looking at it. Such conclusion can be drawn assuming that some actions may 
take place at some time points, and this is initially not known. 

In languages with narratives, such that the language AU introduced in this 
paper, such a deduction is possible. Note that it is not only a matter of find- 
ing an explanation of already known facts. For example, we can conclude that 
aLoaded holds at 2 from the domain description above. Such an inference is 
clearly impossible in the basic action description language A. 

The example describes a prototypical scenario of belief update: we have a set 
of facts which are known to holds at a certain time point (e.g. the gun is loaded 
and Fred is alive at time 0). In a subsequent time point something is observed 
(e.g. Fred is alive at time 3). The possible inconsistency between the facts and 
the observation is explained as due to changes happened in the world. In this 
paper, the assumption is that all changes are caused by actions. 

The formalization of change given in belief update is very simple. If T is a 
set of known facts, and P is an observation, T * P denotes the result of updating 
T with P, that is, our knowledge after the observation of P. The use of this 
notation seemed the natural choice to the first researchers in the field, since 
what we want to formalize is indeed the update of T with P. 

This notation is very simple, but sometimes it does not allow to express 
enough information. The example of the gun contains information that cannot 
be formalized using the star notation. For example, there is no way to express the 
fact that it is impossible that Fred becomes alive, once it is dead. Such informa- 
tion cannot be represented using the notation T'* P, since the only information 
expressed in this way is the old set of facts T’ and the observation P. Another 
problem is the impossibility of deciding what is true in time points before the 
update. In the example, Loaded is false at time 2. However, T *« P only expresses 
the result of the update, that is, what is known at the time of the observation 
(in this case, at time 3). As a result, there is no way to even ask what is true 
at time 1, or 2, etc. Finally, there are problems in formalizing the process of 
iterated update. For example, (T * P,) * P2 is different from the intuitive result 
of incorporating two observations P; and P (for an explanation of why, we refer 
the reader to the borrowed car example [5]). 
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All these issues have already been pointed out by researchers in the field, for 
example Boutilier [2, 3] and Li and Pereira [8]. However, most of these formalisms 
employ an ad-hoc syntax and semantics. The framework introduced in this paper 
allows for formalizing all those forms of update. The semantics of the language 
generalizes many semantics given for belief update. 

The benefits of AU are twofold: it is at the same time a useful extension of 
action theories with narratives, and it allows an easy and intuitive formalization 
(in a standard way) of theories of belief update. 

The paper is organized as follows: in the next section we describe the syntax 
and the semantics of the language Al/. The syntax of Al/ is similar to that 
of action description languages with narratives. As a result, we can define a 
“classical” semantics for it, as well as a semantics that formalizes actions that 
are not known to be happened. We prove that many belief update semantics can 
be captured this way. Finally, we compare our approach with other ones dealing 
with updates and action theories, and discuss possible extensions of this work. 


2 The Language AU 


2.1 Syntax 


The alphabet of the language is composed by three mutually disjoint sets: the 
set of actions, the set of fluents, and the set of time points. In this paper we 
assume that the set of time points is the set of non-negative integers. 

A fluent literal is a fluent possibly preceded by the negation symbol =. A 
fluent expression is a propositional formula over the alphabet of fluents. Thus, 
all the fluent literals are also fluent expressions, and if EF, and EF» are fluent 
expressions, so are E; A Eo, E, V Eo, and AE}. 

A domain description is composed of three parts: behavioral, historical, and 
actual. If D is a domain description then Dg, Dy, and Dy, are its behavioral, 
historical, and actual parts, respectively. 


Behavioral Part. Is the set of effect propositions, and is the part of the do- 
main that specifies how the domain behaves in response to actions. An effect 
proposition is as follows: 


A causes F' if Py,..., Pim 


where F' is a fluent literal, P,,..., Py are fluent expressions, and A is an action. 
The meaning is that the action A causes the fluent literal F to become true, if 
the fluent expressions P,,...,P,, are currently true. For this reason, the fluent 
expressions P;,..., Py, are called the preconditions of the proposition, and F is 
called the effect. 


Historical Part. Is the specification of the actions that are known to have 
been executed. A happens proposition is a statement of the form 


A happens at ¢ 
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where A is an action and t is a time point. The meaning is clear: the action A 
is executed at time point t. 


Actual Part. Is the set of propositions that specify the status of a fluent at a 
certain time point. 


E after Ay;...; Am from t 


where £ is a fluent expression, A,;...; A, are actions and t is a time point. 
The meaning is that the fluent expression FE is true after executing the actions 
Aj;...;Am in sequence starting from the time point t. This propositions allows 
to specify both the status of a “real” time point, and the status of hypothetical 
situations. When m = 0 (i.e. no actions) the proposition is written E holds at ¢, 
its meaning being that the fluent expression F is true in the time point t. On 
the other hand, when ¢t = 0, we write F after Ay;...; Aj. What is the difference 
between propositions like FE holds at t and F after A,;...; Aj? The first one 
refers to a specific time point t. The second one refers to a sequence of actions. 
It is possible that the actions executed from 0 are not the sequence Aj;...; Am. 
If this is the case, EF after A,;...; Am is a form of conditional knowledge: if the 
actions A,;...; Am were executed then £ would be true. On the other hand, 
E holds at t refers to the real status of the world at a certain time point. 


2.2 Classical Semantics 


In this section we present the semantics of the language, according to the hy- 
pothesis that all the actions that are executed are known. 

A state is a set of fluent names. A fluent literal without negation F' is true in 
the state o if F' € a, false otherwise. A fluent expression —F is true in o if and 
only if E is false in o. A fluent expression E; A E> is true in o if both FE, and 
Ey, are true in o. A fluent expression E£) V E> is true in o if either FE is true in 
o or E» is true ino. 

A transition function @ is a function from the set of pairs (A,o), where A 
is an action and o a state, to the set of states. With &(A,c) we want to repre- 
sent the state obtained performing the action A in the state 0. We abbreviate 
P(Am,P(Am—1,---,P(A1,0)...)) as @(A1;...; Am, 7). This is the state obtained 


after executing the sequence of actions Aj;...; Am in o. 

Let Vb. (A,o) be the set of the fluent names F' (i.e. positive fluent liter- 
als) such that there exists an effect proposition A causes F if P,,...,P, in the 
behavioral part of the domain description D and P,,..., Pm are true in a. In- 


tuitively, Vac (A,o) represents the set of fluents whose value must became true 
when the action A is performed in the state o. 

In a similar manner, V5, (A,¢) is the set of fluents whose value must became 
false, and thus is defined as the set of fluent names F' such that there exists an 
effect proposition A causes “=F if P,,..., Pm in Dg and P,,..., Pm are true in 
0. 
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The transition function associated to a behavioral part Dg is the (partial) 
function Wp,, defined as 


_ f(oU Vee (A, c))\Vp, (A, @) if Vb, (A,o) NVp,(A,o) = 0 
¥p_(A,o) = { undefined otherwise 


We used the subscript Dg here to stress the fact that the transition function 
of a domain description is determined by its behavioral part only. We assume 
that the transition function associated to a domain description D is always total. 
This can be verified in polynomial time. 

The sequence of actions associated to a time point t is defined as the sequence 
of actions B,;...; By that have been happened before ¢t. Formally, given a set of 
happens propositions H, we define 


S(H,t) = B,;...; By such that 
1. {B, happens at t,...,B, happens at t,} C H 
2.0< ti <tg<-+-<th<t 
3. there is no other proposition C' happens at t’ 
in H such that 0<t' <t 


S(H,t) is the sequence of actions that have took place in the time interval 
between the time points 0 and t. 
We define interpreted structures and models as follows. 


Definition 1. An interpreted structure is a 3-tuple M = (00,®,H), where oo 


is a state, ® is a transition function, and H is a set of happens at propositions. 


Definition 2. An interpreted structure M = (o0,®, H) is a model of a domain 
description D= Dg UDyUDza (written ME D) if and only if 


1. D=Wp, 

2.H=Dy 

8. for each pair of actions A, and Ag, and each time point t, it does not hold 
A, happens at t € H and Ag happens at t € H (non-concurrency). 

4. for each proposition E after Ay;...; Am from t in Da, the fluent expression 
E is true in the state ®(S(H,t); Ai;...;Am,90).- 


A domain description is consistent if it has models. A domain description 
entails a proposition FE after A,;...; Am from t if and only if, for each M = 
(o0,®,H) such that M — D, the fluent expression EF is true in the state 
@(S(H,t); Ai;...;Am,0o0). If this is the case, we write D - E after Aj;...; 
Am from t. 
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2.3. Update Semantics 


The semantics of the previous section does not take into account actions that 
happened, but of which we have no knowledge. For example, the domain de- 
scription 

D = {A causes F’, aF holds at 0, F' holds at 1} 


is not consistent. This is because the value of a fluent remains unchanged if there 
is no action modifying it. Since there is no happens proposition specifying that 
an action happened in the time point 0, the value of the fluent F’ at 1 should be 
the same of that at 0. Instead, the truth value of the fluent is changed. 

Intuitively, it is clear that the action A happens at 0, and this causes the fluent 
F to become true. However, such an inference is not allowed in the semantics 
of the previous section, which assumes that the only actions that have been 
happened are those specified in the domain description. 

In this section we present a semantics that allows the inference of statements 
about actions which are not known to be happened. First of all, we define a 
model with abduced actions as follows. 


Definition 3. An interpreted structure M = (00,®, H) is a model with abduced 
actions for the domain description D = Dg UDy UD, (written M Ea D) if 
and only tf: 


1. BD=Wp, 

2. Dy CH 

3. for each pair of different actions A; and Az, and each time point t, it does 
not hold A; happens at t € H and Ag happens at t € H (non-concurrency). 

4. for each proposition E after Ay;...; Am from t in Da, the fluent expression 
E is true in the state ®(S(H,t); Ai;...;Am,00).- 


The only difference between this definition and the one given in the previous 
section is the fact that H can be a superset of Dy, rather than Dy itself. Of 
course, this way arbitrarily large sets of happens propositions are allowed to be 
part of H. To this extent, a definition of minimality is needed. We assume that 
there is an ordering < between interpreted structures. 


Definition 4. A minimal model M of a domain description D is a minimal 
(w.r.t. ~) model with abduced actions of D. 


Thus, “minimal model” is indeed a shorthand. We define a domain de- 
scription D to be consistent if it has at least one minimal model. A domain 
description D entails a proposition FE after A,;...; Am from ¢ if and only if, 
for each minimal model M of D, the fluent expression E is true in the state 
&(S(H,t); Ai;...; Am, 00). If this is the case, we write: 


Dé, E after Aj;...; Am from t 


The last point to be defined is the ordering x. The choice of x depends on 
the knowledge about the domain. A general principle is that a model with less 
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happens statements should be preferred (i.e. should be lower than, according 
to <) over models with more happens statements. This leads to the following 
definition. 


Definition 5. The standard ordering xg is defined as: 


09 = 91 
(00,%, Ho) Xs (01,%,1) iff =H 
Ho © Ay 


Using this specific ordering, Al/ can be seen as a fragment of the logic £ 
by Baral et al. [1]. What makes AZ/ interesting is the fact that, using different 
orderings, it allows for expressing different update semantics, thus characterizing 
a number of natural processes of abducting execution of actions. 

The entailment relation — 4 obtained from the standard ordering <g can be 
used to express the scenario of the example described in the introduction. Indeed, 
one can prove that the domain description entails for example —Loaded holds at 2, 
which is intuitively the only possible reason of why Fred is still alive. Note that 
it is also possible to formalize the similar scenario in which we know that noth- 
ing happens between time 0 and 2: just add an action Nop, without effects, and 
two happens propositions Nop happens at 0 and Nop happens at 1 to the domain 
description. This new domain description is inconsistent: in this case, this is the 
intuitive outcome. 


3 Belief Update Using AU 


In this section we show how several definitions of belief update can be formalized 
in a domain of actions using the language Al/. The motivation for doing so is 
twofold. The first is that this formalization allows for a new interpretation of 
the definitions of update. For example, Winslett’s update can be expressed by 
introducing an action that change the value of a variable, and minimizing the 
set of actions happened. 

Moreover, by giving definitions of the ordering <x, we solve the problem of 
not complete specification of the entailment relation 4. Indeed, the ordering 
defined could be used for domain descriptions different from those given from 
the formalization of update. 

We consider the following update definitions: Winslett’s update [14], Katsuno 
and Mendelzon’s updates [7], and Boutilier’s abduction-based update [2]. We do 
not consider Boutilier’s event based update [3] due to the lack of space, but this 
update can be expressed in the formalism. 

We use the following notations: if P is a propositional formula, then Mod(P) 
is the set of its models. Conversely, if A is a set of models, then Form(A) is a 
propositional formula whose set of models is A. Thus, Form is a multi-valued 
function, since there are many formulas sharing the same set of models. This is 
not a problem in this work. 
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3.1 Winslett’s Update 


Consider a propositional formula T representing the state of the world. This 
information is assumed to be correct, but not (necessarily) complete. When a 
change in the world occurs, this description of the world must be modified. The 
assumption behind belief update is that what we know about the change is a 
propositional formula P that is true in the new situation. Winslett’s approach 
is model-based, that is, the result of the update T *yw P is defined in terms of 
the sets of models of T and P. 

The underlying assumption in belief revision and update is that of minimal 
change: the knowledge base T’ should be changed as little as possible, in the 
process of incorporation of the update P. 

Winslett’s update [14] operates on a model by model base. Let I be an 
interpretation, and let <; be the ordering on interpretations defined as 


J<1Z iff Diff(I, J) C Diff (I, Z) 


where Diff(I, J) is the set of variable on which J and J disagree. Intuitively, 
J <; Z means that, since J and J have more literals assigned to the same truth 
value than Z and J, the interpretation J must be considered to be closer to I 
that Z. 

The update of the k.b. T when a new formula P becomes true after a change 
is defined considering each model of T' separately. 


Mod(T *w P)= (J min(Mod(P), <:)) 
I€Mod(T) 


We show that Winslett’s update can be easily expressed in our framework. 
Let X be the alphabet of T and P. We define a domain description as follows. 
The set of fluents is the set of variables X. The intuitive explanation is: the set of 
fluent is the set of facts that may change over time, and this is also the meaning 
of the fluents in reasoning about actions. For each variable x; there is an actions 
A;. This action formalizes the change of value of the variable x; between time 
points. 

The domain description is built as follows. For each variable x; there are two 
effect propositions: 


Dgp= U {A; causes x; if m7;, A; causes 72; if x;} 
viEx 


The historical part of the domain is empty: Dy = @. Let n = |X], that is, 
the number of variables. The actual part of the domain description is composed 
of two propositions: 


Da = {T holds at 0, P holds at n} 


Thus, D = Dg U Dy. This formalization is a very intuitive one: the fluents 
are facts, and each action changes the value of a fact. This definition captures 
Winslett’s semantics of update. 
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Theorem 1. Let D be the domain description corresponding to T and P. Then, 
for each propositional formula Q over the alphabet X, it holds T *w P — Q if 
and only if D Ea Q holds at n (using the standard ordering <g). 


P is assumed to hold at time n because we do not allow concurrent action. 


3.2 Katsuno and Mendelzon’s Update 


Katsuno and Mendelzon [7] defined a family of updates, rather than a specific 
operator. They also proved that Winslett’s operator is a sub-case of their defi- 
nition. 

Let O = {<;, | I is an interpretation} be a family of partial orderings over the 
set of the interpretations, one for each interpretation J. In other words, for each 
interpretation J there is a partial ordering <; over the set of the interpretations. 
An interpretation I represents a complete description of the world. J <; Z 
means that the situation represented by the interpretation J is considered more 
plausible than the situation of Z. As a result, assuming that there has been a 
transition from I to J requires less change than the change from I to Z. Thus, 
assuming that J represents the current state, the result of the update should be: 


Mod(Form(1) *«m P) = min(Mod(P), <r) 


If the current k.b. is not composed of a single interpretation, this must be 
done for each I € Mod(T): 


Mod(T *xm P)= |) min(Mod(P), <7) 
I€Mod(T) 


Note that Katsuno and Mendelzon define a set of update operators rather 
than a single one: indeed, each family of orderings define a specific KM operator. 
As a result, in order to specify an actual update, a family of orderings must be 
defined. 

There is a simple way to capture and Katsuno and Mendelzon’s update in our 
framework. Given a family of orderings (one for each interpretation) we define 
the domain description as the one given in the previous section. The ordering 
used is defined as follows. 


Definition 6. Given a family of partial ordering O = {<r}, one for each 
interpretation I, we define an ordering over interpreted structures XK as 
(00,0, Ho) XK (01,81, 1) if and only if 


Ls 090 = O71. 
2. By =O. 
se @o(S(Ho, 2), 00) Soo ®,(S(H1,n), 01). 


Note that there is an ordering xx for each family of orderings over the 
interpretations. Thus, the formally correct notation should be xo, but we use 
<xw for simplicity. The following theorem shows that we are indeed formalizing 
the Katsuno and Mendelzon updates. 
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Theorem 2. For each Katsuno and Mendelzon update, and for each 3-tuple of 
propositional formulas T, P, and Q, it holds T x P = Q if and only if D =a 
Q holds at n, using the ordering XK as in Definition 6. 


3.3. Abduction-Based Update 


The rationale of the abduction-based update [3] is that the events that change 
the world can be modeled by an abductive semantics. Some of these events may 
be more plausible than others. In order to explain the change, we choose only 
the ones we consider to be more plausible. 

Since this update requires the specification of the outcome of events, and their 
plausibility, the current knowledge base T and the update P do not suffice to 
evaluate the updated k.b.. This kind of updates, in which some extra information 
is required is called update schema. It can be viewed as a family of updates, one of 
each set of events and their plausibility. Giving the events and their plausibility 
is equivalent to selecting a specific update of the family. 

We now give the formal definition of the update. A more detailed explana- 
tion can be found in the paper where this update is introduced [3]. In order to 
explain the changes, we have a set of events E. Each event e is a function from 
interpretations to sets of interpretations. Thus, for each interpretation I, e(I) 
is a set of interpretations. The meaning of J € e(J) is that the possible world 
represented by the interpretation J is one of the possible outcomes of the event 
e, if this event occur in the world represented by the interpretation J. An event 
e is said to be deterministic if e() is always composed of a single interpretation. 

As seen in the informal explanation above, not all the events are considered 
equally plausible. To represent the relative plausibility of events we have a family 
of preorders O = {<; | I € M}, one for each interpretation J. When e <; s the 
event e is considered more likely to happen that s, in the world represented by 
the interpretation J. We denote by e <; s the fact that e is strictly more likely 
than s; formally, that e <; s but not s <;e. 

Let T be the current k.b. and P the update. The set of explanations of P 
is the set of events whose occurrence can explain the fact that P is now true. 
There are two possible definitions. 


Definition 7. The set of weak explanations of P is 
Expl(J, P) = min({e | e(Z) NM Mod(P) 4 0}, <r) 
The set of predictive explanations of P is 
Expl, (I, P) = min({e | e(L) C Mod(P)}, <1) 


The outcome of the update is defined in terms of the progression of a possible 
world I. 


Definition 8. The progression of an interpretation I is the set 


Prog(I, P) = | J{e(2) n Mod(P) | e € Expl(I, P)} 
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The progression of an interpretation can be defined also for predictive expla- 
nations. The updated k.b. is defined as the union of all the progressions. 


Definition 9. The result of updating T with P is' 
Mod(T * agp P) = |_){Prog(I, P) | I € Mod(T)} 


In this definition we assume the use of the weak explanations. A similar 
definition can be given using predictive explanations instead. 

We show how the abduction based update can be expressed in Al/. We 
assume that all the events are deterministic. This is a natural assumption, since 
the actions of the language AU are always deterministic. Under the assumption 
of determinism, weak and predictive explanations are the same. 

Let E = {e1,...,@m} be the set of events. The corresponding action theory 
has m actions A,,...,Am. The behavioral part of the domain is determined by 
the events in the following manner. For each event e; and interpretation J, if x; 
is true in e;(I) we have the effect proposition 


Aj causes x; if \ rp AN i ALE 
cpel rpEl 


otherwise the effect proposition to add is 


Aj causes 72; if \ xp \ \ ALk 
cpel rpEl 


The behavioral part Dg of the domain description is the union of all these 
effect propositions, for each event e, interpretation J and atom 2;. 
The actual part is composed by two propositions only: 


Da = {T holds at 0, P holds at 1} 


The historical part of the domain description is empty: Dy = 9. The ordering 
~<z, is defined as follows. 
Definition 10. The ordering x, is defined as: (09,0, Ho) X (o1,@1, 1) if 
and only af 
1. 00 = O71 
2. By = Gy 
3. it holds eg happens at 0 € Ho, e1 happens at 0 € Ay, and eg <q, €1. 


About the correctness of this definition, the following theorem relates the 
entailment in Al/ and the inference of * app. 


Theorem 3. For each 3-tuple of propositional formulas T, P, and Q, it holds 
T *4psp P — Q tf and only if D Ea Q holds at 1 (using the ordering <4), where 
D is the domain description defined above. 


' In the original Boutilier’s definition, the update is inconsistent if there is an I € 
Mod(T) such that Prog(I, P) is empty. For simplicity, we do not consider this case. 
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4 Related Work 


In this section we compare our approach with others that use the similarities 
between reasoning about actions and update. The approach that is most similar 
to ours is the Possible Causes Approach (PCA) proposed by Li and Pereira [8]. 
Although it is based on similar principles, is different from our proposal in two 
aspects. First of all, update is not embedded into the temporal logic. Rather, 
given a domain description and an update, the aim of PCA is to consistently 
incorporate the update in the domain. In our semantics, the updating formula 
is expressed as a proposition of the domain description. 

Another difference regards the KM postulates. Li and Pereira’s approach 
does not obey the KM principle that models of the initial knowledge base must 
be updated separately. This implies, for example, that Winslett’s update cannot 
be easily expressed into Li and Pereira’s formalism. 

The KM postulates, as our framework, provide a generalization of Winslett’s 
approach to update. Due to the lack of space, we cannot make a detailed compar- 
ison between these two frameworks. Let us only say that, while KM postulates 
only generalizes Winslett’s semantics, our approach is more general, as other 
update methods can be encoded in it. 

Another approach which is somewhat related to ours is due to Peppas [10], 
which shows how epistemic entrenchment (a well-known notion in belief revision) 
can be used in the update framework as well. 

The relationship between belief update and reasoning about actions have 
been also analyzed by del Val and Shoham. The key idea of their work can be 
summarized by the following quotation [4]. 


The initial database is taken to describe a particular situation, and the 
update formula is taken to describe the effect of a particular action. 
A formal theory of action is then used to infer facts about the result 
of taking the particular action in the particular situation [...]. Finally, 
anything inferred about the resulting situation can be translated back 
to the timeless framework of belief update. 


Their framework is used to derive a semantics for belief update. In order to 
do this, they translate a specific initial base and an update into a specific theory 
of actions. A single update is translated into a single action. From this point of 
view, our framework is exactly the opposite: we derive a semantics of a possibly 
inconsistent theory of actions by employing the idea of update. An update is 
indeed a fact that holds in some time point, and changes are caused by actions. 

Winslett’s update, as it was initially defined [13], was used in a similar way: 
the initial knowledge base is the state of the world at a certain time point, and 
the update is the effect of a complex action. The result of Winslett’s update is 
used to determine the state of the world after that the action is performed. This 
way the frame problem is solved, if the effect of the action is a conjunction of 
literals. 

In this context, an action is formalized by an update: as have shown, updates 
can be in turns formalized as the result of a number of simpler actions. Following 
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this approach, and using Winslett’s update, a complex action is considered to 
be equivalent to a set of elementary actions, each changing the truth value of a 
variable. In the case of non-disjunctive actions, having yet another solution from 
the frame problem is not really intersting at this point, as many other solutions 
already exist [11, 12]. The point of view offered by this approach may be of 
interest in the case of disjunctive actions. 


5 Discussion 


In this paper we have introduced the language AU, that formalizes scenarios in 
which actions may take place, and of which the agent has no knowledge. The 
language AU/ is essentially a dialect of the language A for reasoning about actions 
[6] with narratives. 

This formalism is also useful for the field of belief update. Indeed, the defi- 
nitions given by Boutilier, Katsuno and Mendelzon, and Winslett can be easily 
encoded in AU. This provides a way for comparing the semantics of these for- 
malisms. For example, Winslett’s update can be expressed in Al/ by assuming 
that the change that caused the updating formula to hold in a successive state is 
due to the effect of a sequence of simple actions, each causing the truth value of a 
variable to change. The actions we used to formalize Boutilier’s abduction-based 
update are more complicated (i.e. involving more that one variable). 

Regarding Boutilier’s update, we also note that the translation given here 
is exponential-size. This can be explained by observing that Boutilier’s events 
may be arbitrarily involved. In real scenarios, there should be a simple rule to 
determine the effect of events. 

The language AU/ allows the integration of many features that are recognized 
by many researchers as fundamental in expressive theories of belief update. 


1. It is possible to express which changes may take place (for example, the fact 
that Fred cannot become alive, once he is dead is formalized by the absence 
of actions that makes Fred alive, if he is dead). 

2. In some situation, the observation at time 1 leads to modify our knowledge 
about time 0. This can be expressed in Al/. 

3. It is possible to express multiple observations at different time points (iter- 
ated belief update). 


An interesting feature of AU/ is that it allows inference of happens statements: 
a domain description D implies an happens proposition A happens at ¢ if and 
only if the A happens at ¢ is contained in all the models of D. This issue is 
of course trivial in classical action description languages, in which an happens 
proposition is implied by a domain description if and only if it is in the domain. 
In AU (with the update semantics) it is possible to infer that an action took 
place at time t if A happens at t is in all the models of the domain description. 

So far for the benefits of this beautiful language AU/. Let now turn our atten- 
tion to the possible extensions. A first open problem of this paper is a translation 
from domain description into abductive logic programs (or circumscription). 
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From a semantical point of view, Al/ itself can be extended in many ways: 
non-deterministic actions, concurrent actions, and the integration of revision and 
update. 


Consider an extension of Al/ with non-deterministic actions. A first appli- 
cation is the incorporation of abduction-based update with non deterministic 
events in our formalism. 


Another benefit regards the treatment of disjunctive information. This is a 
well-known benchmark problem: the initial knowledge base is T = x A 7y, and 
the update is P = x @ y. In such cases, the result of Winslett’s update (as well 
as any other KM update) is Tx P = x/A-y. This is sometimes correct, but there 
are scenarios in which this result is intuitively wrong. Let for example x be “the 
coin is on the head”, and y be “the coin is on the tail”. According to T’, the head 
is currently on the head. When we toss the coin, the knowledge base is updated 
with P=2 @y, that is, what we know is that either the tail is on the head or 
it is on the tail. The result of updating T with P should be T* P=ax@y. 


The addition of non-deterministic actions in our framework allows for solving 
such problems. Indeed, what is needed is a non-deterministic action A causes 7® 
y. Note that this is very different from the standard update x © y happens at n 
(this second scenario gives «/-y as the result of the update). In this formalism it 
is possible to provide enough information to decide whether we are in a situation 
when Winslett’s treatment of disjunctive information is correct, and when it is 
not. This second case is essentially due to the existence of actions whose effect 
is the considered disjunction. 


This use of non-deterministic actions is similar to that of del Val and Shoham 
[4]. However, in their formalism there is no way to distinguish scenarios in which 
the result must be equal to that of Winslett’s update, and when it must be 
different. Indeed, there are scenario in which the result of Winslett’s update is 
correct (i.e. the result of updating T = « A 7y with P= a2 @y must be T * P= 
x Ay) and others in which it is not. Del Val and Shoham’s semantics does not 
give any hint on how to make a choice, which is left to the user. On the converse, 
in AU with non-deterministic actions the choice is simply determined by the 
actions that may happen and their effects. Del Val and Shoham’s semantics maps 
both actions and updates into actions, and this leads to a loss of information. 


A second possible extension is the addition of concurrent actions. Consider 
the formalization of Winslett’s update in our framework. There is an action for 
each variable of the alphabet. This is reasonable, since the assumption is that 
the variables can change their value arbitrarily. What is not so intuitive is the 
fact that the observation P is formalized as the value proposition P holds at n. 
Since there is only a knowledge base about the initial time point T, and the 
observation P, there is no intuitive reason of the fact that P holds at 1 does not 
work as well. The technical reason is that the assumption of Winslett’s update 
is that all the changes may happen simultaneously or, still better, between two 
time points it is always possible to perform an arbitrary number of changes. This 
can be expressed in our formalism by introducing concurrent actions. 
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Finally, the principles of Al/ can be used to extend the system BReLS [9] to 
deal with complex actions. BReLS has been introduced to deal with domains in 
which both revision and update are necessary. The semantics of BReLS are based 
on the principle of combining a measure of reliability of sources of information 
with the likeliness of events. The way in which events are formalized is so far 
quite simple: the only possible actions are those setting the value of a variable to 
a given value (true or false). The user can decide the likeliness of such actions, but 
cannot define more complex actions. Syntactically, this is done with a statement 
like change(i) : 1, which means that the penalty (degree of unlikeliness) of 
the literal 1 becoming true is 7. Extending the syntax is quite straightforward: 
change(i) : A means that the penalty of the action A to take place is i. The 
extension of the semantics is also quite easy: a model is composed by a set of 
static models (propositional interpretations), one for each time point, and a set 
of actions for any pair of consecutive time points. This model is consistent with 
the domain description if and only if the static model at time t+ 1 is the result 
of applying the actions relative to the pair (t,¢+1) to the static model of time t. 
The ordering between models can also be obtained by combining the degree of 
reliability of sources with the penalty associated to changes, as usual. Extending 
the implemented algorithms, on the other hand, seems to be not as simple. 
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Abstract. In previous work, we developed a framework for expressing general 
preference information in default logic and logic programming. Here we show 
that the approach of Brewka and Eiter can be captured within this framework. 
Hence, the present results demonstrate that our framework is general enough 
to capture other independently-developed methodologies. As well, since the ex- 
tended logic program framework has been implemented, we provide an imple- 
mentation of the Brewka and Eiter approach via an encoding of their approach. 


1 Introduction 


In previous work [6], we presented a general framework based on default logic for 
expressing general preference information. There, we addressed the problem of repre- 
senting preferences among individual and aggregated properties in default logic. In this 
approach, one begins with an ordered default theory, in which preferences are specified 
on default rules. This is transformed into a second, standard, default theory in which 
the preferences are respected, in the sense that the obtained default extensions contain 
just those conclusions that accord with the order expressed by the original preference 
information. The approach is fully general: One may specify preferences that hold by 
default, or give preferences among preferences, or give preferences among sets of de- 
faults. 

We adapted this approach in [8] for logic programming under the answer set se- 
mantics [11]. While the original approach is usable for full-fledged theorem provers for 
default logic, like DeReS [5], this subsequent approach applies to logic programming 
systems, such as dlv [10] or smodel1s [14]. In fact, we have provided an implemen- 
tation of the approach in extended logic programs, serving as a front-end for dlv and 
smode1s (see [9] for details). 

In the context of default logic, our methodology involves the appropriate “decom- 
position” of default rules, so that one can detect the applicability conditions of default 
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rules and control their actual application. In our framework, this is carried out within 
a default theory. This is accomplished, first, by associating a unique name with each 
default rule, so that it can be referred to within a theory. Second, special-purpose pred- 
icates are introduced for detecting conditions in a default rule, and for controlling rule 
invocation. This in turn allows a fine-grained control over what default rules are applied 
and in what cases. By means of these named rules and special-purpose predicates, one 
can formalise various phenomena of interest. 

Given an ordered default theory (D, W, <), where < is a strict partial order on D, 
the intuition is that one applies the <-maximal default(s), if possible, then the next <- 
greatest, and so on. Thus we adopt a prescriptive interpretation of the ordering, in that < 
prescribes the order in which rules are applied. This can be contrasted with a descriptive 
interpretation, in which the preference order represents a ranking on desired outcomes: 
the desirable (or: preferred) situation is one where the most preferred default(s) are 
applied. 

The approach of Brewka and Eiter [3], first developed with respect to extended logic 
programs and subsequently generalized for default logic in [4], arguably fits the “de- 
scriptive” interpretation. In common with previous work, Brewka and Eiter begin with 
a partial order on a rule base, but define preference with respect to total orders that con- 
form to the original partial order. As well, answer sets or extensions, respectively, are 
first generated and the “prioritized” answer sets (extensions) are selected subsequently. 
In contrast, in our approach, we deal only with the original partial order, which is trans- 
lated into the object theory. As well, only “preferred” extensions are produced in our 
approach; there is no need for meta-level filtering of extensions. 

However, we show here that the approach of Brewka and Eiter is expressible in our 
framework. Consequently, this serves to show the scope and generality of our frame- 
work. As well, this result enables a straightforward implementation of the Brewka and 
Eiter approach. 

In the next subsection we briefly introduce default logic, while Sections 3 and 4 
introduce our approach and Brewka and Eiter’s, respectively. Section 5 describes the 
translation of their approach expressed in default logic, while Section 6 does the same 
for the case of extended logic programs. Section 7 gives brief concluding remarks. 


2 Background 


Default logic [16] augments classical logic by default rules of the form 


a: Bry+++5Bn 
Y 


where a, (1, ..., Bn, y are sentences of first-order or propositional logic. Here we 
mainly deal with singular defaults for which n = 1. A singular rule is normal if (3 is 
equivalent to 7; it is semi-normal if 3 implies +. [12] shows that any default rule can be 
transformed into a set of semi-normal defaults. We sometimes denote the prerequisite 
a of a default 6 by Prereq(6), its justification 3 by Justif(5), and its consequent y by 
Conseq(). Accordingly, Prereq(D) is the set of prerequisites of all default rules in 
D; Justif (D) and Conseq(D) are defined analogously. Empty components, such as no 
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prerequisite or even no justifications, are assumed to be tautological (we speak in such 
cases of prerequisite-free and justification-free defaults, respectively). Open defaults 
with unbound variables are taken to stand for all corresponding instances. A set of 
default rules D and a set of sentences W form a default theory (D, W) that may induce 
a single, multiple, or even zero extensions in the following way: 


Definition 1. Let (D,W) be a default theory and let E be a set of sentences. Define 
Eo = W and fori > 0: 


GD; = { ¢8tesBs € Dla € Bi, ¢ B,...,-Pn ¢ ES; 
Ej41 = Th(E;) U {Conseq(d) | 6 € GD;}. 


Then, E is an extension for (D,W) iff E = Ope Ei. 


(Th(E) refers to the logical closure of set E of sentences.) Any such extension rep- 
resents a possible set of beliefs about the world at hand. The above procedure is not 
constructive since FE appears in the specification of GD;. We define GD(D, FE) = 
Gia GD; as the set of generating defaults of extension E. An enumeration (6;)je7 
of default rules is grounded in a set of sentences W, if we have for every 2 € J that 
W U Conseq({60,..., 6;-1}) F Prereq(d;). 

For simplicity, we restrict our attention in what follows to finite, singular default 
theories, consisting of finite sets of default rules and sentences. 


3 Preference-Handling in Standard Default Logic 


For adding preferences among default rules, a default theory is usually extended with 
an ordering on the set of default rules. In accord with [4], we define: 


Definition 2. A prioritized default theory is a triple (D,W, <) where (D,W) is a de- 
fault theory and < is a Strict partial order on D. 


In contrast to [4], however, we use the ordering < in the sense of “higher priority”, i.e., 
5 < 6’ expresses that 6’ has “higher priority” than 6. 

The methodology of [6] provides a translation, 7, that takes such a prioritized the- 
ory (D, W, <) and translates it into a regular default theory T ((D, W, <)) = (D’, W’) 
such that the explicit preferences in < are “compiled” into D’ and W’ and such that the 
extensions of (D’, W’) correspond to the “preferred” extensions of (D, W, <). More- 
over, the approach admits not only “static” preferences as discussed here—where the 
ordering of the defaults is specified at the meta-level—but also “dynamic” preferences 
within the object language. 

In [6], to begin with, a unique name is associated with each default rule. This is 
done by extending the original language by a set of constants! N such that there is a 
bijective mapping n : D — N. We write ns instead of n(0) (and abbreviate n5, by n; to 
ease notation). Also, for default rule 6 with name n, we sometimes write n : 6 to render 


' McCarthy effectively first suggested the naming of defaults using a set of aspect functions [13]; 
Theorist [15] uses atomic propositions to name defaults. 
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naming explicit. To encode the fact that we deal with a finite set of distinct default 
rules, we adopt a unique names assumption (UNA) and domain closure assumption 
(DCA) with respect to NV. That is, fora name set N = {n1,...,%m}, we add axioms 


UNAn: (nj €n;) forall ni,nj €E N with iF J; 
DCAy: Va. name(x) = («= 711 V---V&2= Nm). 


For convenience, we write Vz € N. P(x) instead of Vz. name(x) D P(x). 

Given 6; < 46;, we want to ensure that, before 6; is applied, 6; can be applied or 
found to be inapplicable. 

More formally, we wish to exclude the case where 6; € GD, but 6; ¢ GD» al- 
though 6; € GD,, for some m > n in Definition 1. For this purpose, we need to be 
able to (i) detect when a rule has been applied or when a rule is blocked, and (ii) control 
the application of a rule based on other antecedent conditions. For a default rule ot 
there are two cases for it to not be applied: it may be that the antecedent is not known to 
be true (and so its negation is consistent), or it may be that the justification is not con- 
sistent (and so its negation is known to be true). For detecting this case, we introduce a 
new, special-purpose predicate bl(-). Similarly we introduce a predicate ap(-) to detect 
when a rule has been applied. To control application of a rule we introduce predicate 
ok(-). Then, a default rule 6 = aif is mapped to 


aAok(ns) : 8  ok(ns) : aa AG A ok(ns) : 


yAap(ns) ’ bl(ns) bl(ns) ) 


These rules are sometimes abbreviated by 6a, 6p, , 5p., respectively. While 6, is more or 
less the image of the original rule 6, rules 6,, and 6,, capture the non-applicability of 
the rule. 

None of the three rules in the translation can be applied unless ok(75) is true. Since 
ok(-) is a new predicate symbol, it can be expressly made true in order to potentially 
enable the application of the three rules in the image of the translation. If ok(75) is true, 
the first rule of the translation may potentially be applied. If a rule has been applied, 
then this is indicated by asserting ap(ns5). The last two rules give conditions under 
which the original rule is inapplicable: either the negation of the original antecedent a 
is consistent (with the extension) or the justification @ is known to be false; in either 
such case bl(n5) is concluded. 


We can assert that default n; : are + is preferred to n; : a8 é in the object lan- 
guage by introducing a new predicate, <, and then asserting that n; < n;. However, 
this translation so far does nothing to control the order of rule application. Nonetheless, 
for 6; < 6; we can now control the order of rule application: we can assert that if 6; 
has been applied (and so ap(n,;) is true), or known to be inapplicable (and so bl(n;) is 
true), then it is ok to apply 6;. The idea is thus to delay the consideration of less pre- 
ferred rules until the applicability question has been settled for the higher ranked rules. 


Formally, this is realized by adding the axiom 
Va € N. [Vy € N.(x < y) D (bI(y) V ap(y))] D ok(z) (2) 


to the translation. 
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To summarize, let T((D, W, <)) = (D, W) be the translation obtained in this way, 
for a given prioritized default theory (D, W, <). Then, the prioritized extensions of 
(D, W, <) are determined by the (regular) extensions of (D, W), modulo the original 
language. 

It is important to note that this translation schema is just one possible preference 
strategy. Changes to the conditions when a default is considered to be applicable (real- 
ized by the specific form of the decomposed defaults 6,, 5, , 6p, and axiom (2)) result 
in different preference strategies. Also, further rules and special-purpose predicates can 
be added, if needed. For instance, in Sections 5 and 6 we rely on an additional predicate 
ko(-) that aims at eliminating rules from the reasoning process. 


4 Brewka and Eiter’s Approach to Preference 


We now describe the approach to dealing with a prioritized default theory introduced 
in [4]. First, partially ordered default theories are reduced to totally ordered ones.” 


Definition 3. A fully prioritized default theory is a prioritized default theory (D, W, <) 
where < is a total ordering. 


The general case of arbitrary prioritized default theories is reduced to this restricted 
case as follows. 


Definition 4. Let (D,W, <) be a prioritized default theory. Then, E is a prioritized 
extension of (D,W, <) iff E is a prioritized extension of some fully prioritized default 
theory (D, W, <’) such that <C<". 


Conclusions of prioritized default theories are defined in terms of prioritized exten- 
sions, which are a subset of the regular extensions of a default theory, i.e., the extensions 
of (D, W) according to [16]. 

The construction of prioritized extensions relies on the notion of activeness [1, 2]. 
A default 6 is active in a set of formulas S, if (i) Prereq(o) € S, (ti) —Justif(d) € S, 
and (iii) Conseq(o) ¢ S hold. Intuitively, a default is active in S if it is applicable with 
respect to S but has not yet been applied. 


Definition 5. Let A = (D, W, <) be a fully prioritized prerequisite-free default theory. 
The operator C is defined as follows: C(A) = Us Ei, where Eg = Th(W), and for 
every 1 > 0, 7 


Uji Bj if no default from D is active in J, <; Ej; 
Ej, = Th(Uj<; Bj U {Conseq(6)}) otherwise, where 6 € D is the maximal 
default (wrt. <) active in, <; Ej. 


In the case of prerequisite-free, normal default theories, the operator C always produces 
an extension in the sense of [16] and thus can directly be used to define prioritized 
extensions: 


> In fact, [4] deal with so-called well-orderings, which are generalised total orderings, needed 
for treating infinite domains. 
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Definition 6. Let A = (D,W, <) be a fully prioritized prerequisite-free, normal de- 
fault theory. Then, E is the prioritized extension of A iff E = C(A). 


The next definition addresses the more general class of prerequisite-free theories: 


Definition 7. Let A = (D, W, <) bea fully prioritized prerequisite-free default theory. 
Then, a set E of formulas is a prioritized extension of A iff E = C(A"), where A® = 
(D¥,W, <) and D¥ = D\ {6 € D | Conseq(5) € E and —Justif (5) € E}. 


That is, A” is obtained from A by deleting all defaults whose consequents are in E 
and which are defeated in FE. Clearly, this leaves normal rules unaffected. The purpose 
of this filter is illustrated in [4] by the following default theory: 


Az = ({ ni: 238, ng: SA, ng: tA, na: 32305 <5 |i< 7). @ 


This theory has two regular extensions, Th({A, B}) and Th({—A, B}). Applying op- 
erator C' to A\3 yields the first extension. However, it is argued in [4] that this extension 
does not preserve priorities because default 62 is defeated in E’ by applying a default 
which is less preferred than 62, namely default 63. This extension is ruled out by the fil- 
ter in Definition 7 because Th({A, B}) # Th({7A, B}) = CA en, Theory 
Ax has therefore no prioritized extension. 

The next definition accounts for the general case by reducing it to the prerequisite- 
free one. For checking whether a given regular extension F is prioritized, Brewka and 
Eiter evaluate the prerequisites of the default rules according to the extension L’. To this 
end, for a default 6, define 6' as the prerequisite-free version of 4, i.e., 5' results from 
6 by replacing Prereg(5) by T. 


Definition 8. Let A = (D,W, <) be a fully prioritized default theory and Ea set of 
formulas. The default theory Ag = (Dg, W, <z) is obtained from A as follows: 


1. Dg = {6' | 6 € Dand Prereq(6) € E}; 
2. for any (1,02 © Dg, G <x C2 iff 1 < b2 where 6; = max<{d € D | él = Gi}. 


In other words, Dg is obtained from D by (i) eliminating every default 6 € D such that 
Prereq(6) ¢ E, and (ii) replacing Prereq(6) by T in all remaining defaults 6. 


Definition 9. Let A = (D, W, <) bea fully prioritized default theory. Then, E is a pri- 
oritized extension of A, if (i) E is a classical extension of A, and (ii) E is a prioritized 
extension of Ar. 


That is, (7) is equivalent to E = C((Ag)*). 
For illustration, consider [4, Example 4]: 


1A :uB A:B 
oe Sag (4) 


and where W = 9). This theory, A, has two regular extensions: FE; = Th({A, B}) 
and Ey = Th({A,-B}). Ag, amounts to if < 8 < +f. Clearly, (Az,)"! = 
Ap,. Also, we obtain that C(Ag,) = Fj, that is, E) is a prioritized extension. In 
contrast to this, E is not prioritized. While Ag, = Ap, and (Ap,)”? = Ag,, we get 


C((Apg,)*?) = Ey # Eo. That is, C((Az,)"2) reproduces EF rather than EF. 
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This example reveals the difference between the prescriptive methodology of [6] 
discussed in the previous section, and Brewka and Eiter’s descriptive approach dis- 
cussed here, insofar as the former method actually selects no prioritized extension. In- 
tuitively, this can be explained by the observation that for the highest-ranked default 
aan , neither applicability nor blockage can be asserted: Either of these properties relies 
on the applicability of lesser-ranked defaults, effectively resulting in a circular situation 
destroying any possible extension. Nonetheless, as we show next, the methodology of 
[6] is general enough to admit a suitable preference strategy enforcing the simulation 


of prioritized extensions in the sense of Definition 9. 


5 Prioritized Extensions via Standard Default Logic 


Given an alphabet P of some language Lp, we define a disjoint alphabet P’ as P’ = 
{p' | p © P} (so implicitly there is an isomorphism between P and P’). Then, for 
a € Lp, we define a’ € Lp as the result of replacing in a each proposition p from 
P by the corresponding proposition p’ in P’. This is defined analogously for sets of 
formulas, default rules and sets of default rules. We abbreviate £p and Lp, by L and 
L’, respectively. 

We obtain the following translation mapping prioritized default theories in some 
language C£ onto standard default theories in the language L° obtained by extending 
LU CL’ by new predicates symbols (- < -), ok(-), ko(-), bl(-), and ap(-), and a set of 
associated default names: 


Definition 10. Given a prioritized default theory A = (D, W, <) over L and its set of 
default names N = {ns | 6 € D}, define Tgz(A) = (D°,W°) over L° by: 


Oo ok(n, )Aa: B, 8" ok(n, ):2a,7a0" ok(ng JAR BARS! : — af 
De = Du { Haha es8" skins} era okina iene 6-22 « D} 5) 


L{Seshu (a sae e Dp (Betas) 
W°=WUW' (7) 
U {ni ~ nz | (61,62) € <} U {DCAn, UNAy } (8) 

U {Va € N. [Vy € N.ko(y) V [(x < y) D (bI(y) V ap(y))]] D ok(z)} = (9) 


We denote the second group of rules in (5) by 63, dp, , and 67, ; those in (6) are abbrevi- 
ated by 6°, dp, and 05 , respectively. 

It is important to note that the inclusions D C D° and W C W*° hold. As we 
show in Theorem 2, this allows us to construct regular extensions of (D,W) within 
extensions of (D°, W°). Such an extension can be seen as the guess in a guess-and- 
check approach; it corresponds to Condition (i) in Definition 9. 

The salient part of the corresponding check, viz. Condition (ii) in Definition 9, is 
accomplished by the second group of rules in (5) and the remaining facts in W°. To- 
gether with W’ C W°, the rules of form 6° aim at rebuilding the guessed extension in 
L’. They form the prerequisite-free counterpart of the original default theory in £’. In 
fact, the prerequisite of 6° refers via ~ to the guessed extension in £; no formula in £’ 
must be derived for applying 6°. This accounts for the elimination of prerequisites in 
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Condition (1) of Definition 8. Moreover, the elimination of rules whose prerequisites 
are not derivable is accomplished by rules of form 67, . Rules of form 63, guarantee that 
defaults are only defeatable by rules with higher priority. In fact, it is =’ that must be 
derivable in such a way only. 

The application of rules according to the given preference information is enforced 
by axiom (9): For every n;, we derive ok(n;) whenever, for every n,;, either ko(n,;) is 
true, or, if n; < n,; holds, either ap(n,;) or bl(n,;) is true. This axiom allows us to derive 
ok(n,), indicating that 6; may potentially be applied, whenever we have for all 6; with 
6; < 6; that d; has been applied or cannot be applied, or 6; has already been eliminated 
from the preference handling process. This elimination of rules is in accord with Def- 
inition 7 and realized by 47. The preference information in (8) is rendered complete 
through rules of form 6°. This completion is necessary for the formula in (9) to work 
properly: whenever (6;,6;) ¢ <, rule 6°, allows us to conclude (in the extension) that 
a(n; ~ n;) holds. 

Lastly, 6$ rules out unsuccessful attempts in rebuilding the regular extension from 
£ within £L’ according to the given preference information. In this way, we eliminate all 
regular extensions that do not respect preference. 


For illustration, reconsider theory (4), viz. 


¢ BA ifn: _ A:B 
N3i A <n: aR <1: ABO 


and W = @. Recall that this theory has two regular extensions: one containing { A, ~B} 
and another containing { A, B}; but that only the latter is a prioritized extension accord- 
ing to [3]. We get: 


iA :7=B A:B 
A =aB B 
ok(n3):A,A’ ok(n2):72B,-B’  ok(n1)AA: B,B’ : n0k(n1)V a0k(n2)V a0k(n3) 
A’Aap(n3) aB’fap(n2) B’fap(n1) L 


ok(n1): 7A, A’ 
bl(n1) 


ok(n3)ARAATA’: ok(n2)ABAB’: ok(n1)AaBAAB’: 


For brevity, we omit all defaults of form OE 


First, suppose there is an extension with A and —B. Clearly, if and a contribute 
to such an extension. Having —B denies the derivation of ap(n1). Also, we do not get 
bl(m,) since we can neither derive —B’ nor is 4A consistent. Therefore, we do not 
obtain ok(n2); thus, sok(nz) is consistent and we obtain L which destroys the putative 
extension at hand. 

Next, consider a candidate extension with A and B. In this case, iA and 4:8 
apply. Given ok(n;) and A, we may derive B’ A ap(n1). This gives ok(nz) and then 
ok(n2) A BA B’, from which we get bl(m2). Finally, we derive ok(n3) and A’ A ap(n3). 
Unlike the above, we cannot derive and we obtain an extension containing A and B. 
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For another example, consider the theory obtained from example (3): 


23B nA iA iB 
A aA A B 
ok(n1):73B,-B’ ok(ng):74,7A’ ok(n3):A,A’ ok(na): B,B’ : dae N. a0k(x) 
A’Aap(n1) 7A’ Aap(n2) A’Aap(n3) B’Xap(n3) a 

ok(n1)ABAB’: ok(n2)AAAA’: ok(n3)ATAATA’: ok(na)ATBAAB’: 

bl ny bl n2 bl n3 bl n3 

AAB: 

ko(n1) 


While this theory has two regular extensions, it has no prioritized extension under the 
ordering imposed in (3). Suppose there is a prioritized extension containing A and B. 
This yields ko(n1) and then (9) gives ok(n2). Having A excludes (52). Moreover, we 
cannot apply (62)p, since A’ is not derivable (by higher-ranked rules). We thus cannot 
derive ok(n3), which leads to a destruction of the current extension through 64 . 

The next theorem gives the major result of our paper. 


Theorem 1. Let A = (D,W, <) be a prioritized default theory over £ and E a set of 
formulas over L. 

E is a prioritized extension of A iff E = F 9 £ and F is a (regular) extension of 
Ter (A). 


In what follows, we elaborate upon the structure of the encoded default theories: 


Theorem 2. Let A = (D,W, <) be a prioritized default theory over £ and let E° be 
a regular extension of Tpp(A) = (D°, W°). Then, we have the following results: 


E° 1 L is a (regular) extension of (D,W); 

(ESOL =E°NL' (ory e€ E® iffy! € E° fory € L); 

. 6€ DNGD(D*, E®) iff 62 € GD(D°, E°); 

. 6€D\GD(D*, E®) iff dp, € GD(D°, E°) or 63, € GD(D°, E°); 
. if 52, € GD(D°, B°), then 52, € GD(D®, E°). 


WARwWNS 


The last property shows that eliminated rules are eventually found to be inapplicable. 
This illustrates another choice of our translation: instead of using the second group of 
rules in (5), we could have used 

ok(n) Aa: 8,8’ ,-ko(n) ok(n): na,ra’,a=ko(n) ok(n)AABAAB’ : ako(n) are 

{ ain, OR Bay | a \ 

Although this renders the derivation of ap(n), bl(n), and ko(n) mutually exclusive, the 
additional justification sko(7) is not needed. That is, it is sufficient to remove aif from 
the preference handling process; the rule is found to be blocked anyway. 

The following theorem summarizes some technical properties of our translation: 


Theorem 3. Let FE be a consistent extension of Tgg(A) for prioritized default theory 
A = (D,W, <). We have for all 6,6’ € D that 

1. N6 ~< 5! E E iff ~(n5 ~< ng") ¢g EH; 

2. ok(ns) € E; 

3. ap(ns) € E iffbl(ns) ¢ E. 


The two last results reveal an alternative choice for 6° , namely 1 3BEN. maple) ATbI 2) 
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One may wonder how our translation avoids the explicit use of total extensions of 
the given partial order. The next theorem shows that these total extensions are reflected 
by the grounded enumerations of the second group of rules in (5): 


Theorem 4. Given the same prerequisites as in Theorem 2, let (6?)ier be some 
grounded enumeration of GD(D°, E°). For all 61,62 € DEE, define 6, < 69 iff 
ka < ky where k; = min{i € I | 6? = (6;)2 fora € {a, bi, b2}} for k = 1,2. Then, 
< is a total ordering on DE’ such that K C (<A (DE x DE*)), 


That is, whenever A = A” according to Definition 7, we have that < is a total ordering 
on D such that <C<. 

Finally, one may ask why we do not need to account for the “inherited” ordering 
in Condition 2 of Definition 8. In fact, this is taken care of through the “tags” ap(ns) 
in the consequents of rules 6° that guarantee an isomorphism between D and Dz in 
Definition 8. More generally, such a “tagging of consequents” provides an effective 
correspondence between the applicability of default rules and the presence of their con- 
sequents in an extension at hand. As a side effect, this facilitates the notion of activeness 
in Section 4 by rendering Condition (iii) unnecessary. 


6 Compiling Prioritized Answer Sets 


In this section, we describe how Brewka and Eiter’s preference approach [3] for ex- 
tended logic programs can be encoded within standard answer set semantics, following 
the methodology developed in [8]. We commence with a recapitulation of the necessary 
concepts. 

As usual, a literal, L, is an expression of the form p or —p, where p is an atom. The 
set of all literals is denoted by Lit. A rule, r, is an expression of the form 


Lo — Iy,..., Lm, not Lmii,...,not Ly, (10) 


where n > m > O, and each L; (0 < i < n) is a literal. The symbol “not” de- 
notes negation as failure, or weak negation. Accordingly, the classical negation sign 
“—” ig in this context also said to represent strong negation. The literal Lo is called 
the head of r, and the set {11,..., Lm, not Lm4i,...,not L,} is the body of r. 
We use head(r) to denote the head of rule r, and body(r) to denote the body of r. 
Furthermore, let body*(r) = {Li,... , Lm} and body~(r) = {Lm4i,--- , Ln}. The 
elements of body” (1) are referred to as the prerequisites of r. If body* (r) = 0, then r is 
a prerequisite-free rule; if body(r) = 9, then r is a fact; if r contains no variables, then 
r is ground. We say that a rule r is defeated by a set of literals X iff body (r) OX #4 0. 
As well, each literal in body (r) M X is said to defeat r. We define not X as the set 
{not L| Le X}. 

A set of literals X is consistent iff it does not contain a complementary pair p, ~p 
of literals. We say that X is logically closed iff it is either consistent or equals Lit. 

A rule base is any collection of rules; an (extended) logic program, or simply a 
program, is a finite rule base. A rule base (program) is prerequisite-free (ground) if all 
rules in it are prerequisite-free (ground). 
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For a rule base , we denote by R* the ground instantiation of R over the Herbrand 
universe of the language C of R. 
The answer set semantics interprets ground rules of the form (10) as defaults 


IyA...N\ Lm : Dima iy oe 5 aR 


ii (11) 


A set X of ground literals is called an answer set of the ground program P iff X is of 
the form EM Int, where EF is an extension of the default theory obtained by identifying 
each rule r € P as a default of the form (11). Answer sets of programs not necessarily 
ground are obtained by taking the answer sets of the ground instantiation P* of P. 

A prioritized logic program is a pair IT = (P, <), where P is a logic program and 
< is a strict partial order. Following [3], the ground instantiation of a prioritized logic 
program (P, <) is obtained as follows: Let P* be the ground instantiation of P and 
define r* <* s* for r*,s* € P* providing r*, s* are instances of r,s € P, respectively, 
such that r < s. If <* is a strict partial order, then the pair (P*, <*) defines the ground 
instantiation of (P, <); otherwise, the ground instantiation of (P,<) is undefined. In 
the sequel, we will be concerned with ground prioritized programs only. 

A fully prioritized logic program is a prioritized logic program (P,<) where < 
is a total ordering. Prioritized answer sets of prioritized logic programs are defined 
similarly to prioritized extensions of prioritized default theories. That is to say, first the 
prerequisite-free case is treated, and afterwards the general case is addressed in terms 
of the prerequisite-free case. 

For fully prioritized ground programs, Definitions 5 and 7 boil down to the fol- 
lowing operator: Let IT = (P, <) be a fully prioritized ground prerequisite-free logic 
program, (r;)ie7 be an enumeration of the ordering <, and X bea set of literals. Then, 


C7(X) is the smallest logically closed set of literals containing ),- ; X;, where 
Uji Xj if r; is defeated by U,_,; Ej, or 
Xe head(r;) € X andr; is defeated by X; 


Uj <; Xj U {head(r;)} otherwise. 


As in the default logic case, this construction is unique in the sense that for a fully 
prioritized prerequisite-free ground program J, there is at most one answer set X of P 
such that Cry (X) = X (cf. [3, Lemma 4.1]). Accordingly, this set is referred to as the 
prioritized answer set of II, if it exists. Prioritized answer sets of an arbitrary (i.e., not 
necessarily prerequisite-free) ground fully prioritized program IJ = (P, <) are given 
by sets X of ground literals which are prioritized answer sets of the prioritized program 
IIx = (Px,<x), where <x is constructed just as the ordering <x of Definition 8, 
and Px results from P by (i) deleting any rule r € P such that body* (r) Z X, and (ii) 
removing any prerequisites in the body of the remaining rules. Lastly, X is a prioritized 
answer set of a ground prioritized logic program (P, <) iff (i) X is a (regular) answer 
set of P and (ii) X is a prioritized answer set of some fully prioritized program (P, <’) 
such that <C<’, 

This concludes the review of prioritized answer sets according to [3]; we continue 
with a compilation of this approach in standard answer set semantics. 
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As in Section 5, given a ground prioritized program JT over language £, we assume 
a disjoint language L’ containing literals L’ for each L in £. Likewise, rule r’ results 
from r by replacing each literal L in r by L’. We maintain for rules the same naming 
convention as for defaults, i.e., the term 7, serves as name for rule r, similarly writing 
n : ras before. As well, the language £° extends £ U L’ by new ground atoms (n,. < 
ns), ok(n,), ko(n,), ry(n-, Ns), bl(n,), and ap(n,-), for each r, s in IT. 


Definition 11. Let IT = (P, <) be a prioritized ground logic program over £ such that 
P = {ri,..., 1x}. Then, the logic program Ie) over L° is given by 


PUU,ept(r) U {(m < nz) —| (71,72) € <}, 


where T(r) consists of the following collection of rules, for L € bodyt(r), K € 
body” (r), and s € P: 


ai(r): head(r’) — ap(n,) 

ag(r ap(n,) — ok(n,), body(r), not body” (r’) 
bi(r, bI(n,) — ok(n,), not L, not L’ 
be(r, K bl(n,) — ok(n,), K, Kk’ 


= ry(Np, Mp, ), ++ +5 tY(Nr, Nr, ) 
<— not (n, < ns) 

<— (np ~ ns), ap(ns) 

— (n, ~ ngs), bl(ns) 


L — not ok(n,) 
e(r,&):  ko(n,) — head(r), K 


The first group of rules in T(r) expresses applicability and blocking conditions of r 
and contains the counterparts of the defaults 6°, Ob, and Ob. in Definition 10, respec- 
tively. To wit, applicability of r is captured by the two rules a1(r) and ag(r), while k 
rules of the form b;(r, L) and bg(r, K) detect blockage of r, where & is the number of 
literals in body(r). The second group of rules unfolds axiom (9) and relies on auxil- 
iary atoms ry(-,-) (“ready”), taking care of instantiating the quantification over names 
expressed in (9). Finally, rules d(r) and e(r, K’) correspond to 67, and 0 , respectively. 

We obtain the following result corresponding to Theorem 1: 

Theorem 5. Let IT = (P,<) be a prioritized ground logic program over £L and X a 
set of literals over L. 

X is a prioritized answer set of IT iff X = Y 1 Land Y is a (regular) answer set 
of Tip). 

Additionally, given suitable concepts for the present case, analogous results to Theo- 
rems 2, 3, and 4 can be shown. We just note the counterpart of Theorem 3: 


Theorem 6. Let X be a consistent answer set of Toe (IT) for prioritized logic program 
IT = (P, <). We have for all r € P that 


1. ok(ns) € X; 
2. ap(ns) € X iffbl(ns) ZX. 
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The approach is implemented in Prolog and serves as a front-end to the logic pro- 
gramming systems d1v [10] and smodel1s [14]. Our current prototype, called plp, is 
available at http: //www.cs.uni-potsdam.de/~torsten/plp/. This URL 
contains also diverse examples taken from the literature. The implementation differs 
from the approach described here, in that the translation applies to named rules only; it 
thus leaves unnamed rules unaffected. 

For illustration, consider the logic programming counterpart of Example (4) in the 
syntax of plp : 


b :- name(1), not -b, a. 
-b :- name(2), not b. 221g 
a :- name(3), not -a. 3<2. 
We use ‘-’ (or ‘neg’) for classical negation and ‘not’ (or ‘~’) for negation as 


failure. Furthermore, name (-) is used to identify rule names; and natural numbers 
serve as names. Note that our implementation handles transitivity implicitly, so that 
there is no need to specify 3<1. 

This is then translated into the following (intermediate) standard program: 


(1 b :- not neg b, a. 

(2 bl :- ap(1). 

(3 ap(1) :- name(1), ok(1), not neg b, not neg bl, a. 
(4 b1(1) :- ok(1), neg b, neg bl. 

(5 bl1l(1) :- ok(1), not a, not al. 

(6 ko(1) :- b, neg b. 

(7 neg b :- not b. 

(8 neg bl :- ap(2) 

(9 ap (2) - name(2), ok(2), not b, not bil. 

10 b1(2) :- ok(2), b, bl 

11 ko(2) :- neg b, b 

12 a :- not neg a. 

13 al :- ap(3) 

14 ap(3) :- name(3), ok(3), not neg a, not neg al. 
15 b1(3) :- ok(3), neg a, neg al. 

16 ko(3) :- a, neg a. 

4.77 2 2 Ae 

18 3 < 2. 

19 neg M < N :- name(N), name(M), N < M. 

20 N < M :- name(N), name(M), name(O), N < O, O < M. 
2 ok(N) :- name(N), ry(N, 1), ry(N, 2), ry(N, 3). 
22 ry(N, M) - name(N), name(M), not N < M. 

23 ry(N, M) - name(N), name(M), N < M, ap(M) 

24 ry(N, M) - name(N), name(M), N < M, bl1(M) 

25 ry(N, M) - name(N), name(M), ko(M). 

26 false :- name(N), not ok(N). 


The original rules, viz. 71,72, and r3, are given by (1), (7), and (12). The addi- 
tional encoding of, e.g., rule (1) is given by (2) to (6). We append the symbol ‘1’ 
for priming here, e.g., b1 is the primed version of b. In detail, (2) and (3) correspond 
to ai(r1) and ag(r1), (4) and (5) correspond to b2(71, B) and b1(r1, A), and finally 
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(6) corresponds to e(r1, B). Rules (19) and (20) are additional rules enforcing a 
strict partial order. Rules (21) to (25) account for ci(r) to c5(r, 8). Lastly, (26) 
implements d(r). 

The above program is then refined once more in order to account for some special 
features of dlv and smodel1s, like implementation of classical negation ‘neg’ and 
‘false’. Also, an extensional database for rule names is provided. 

Calling one of these provers with the respective input corresponding to the above 
program, we obtain the desired prioritized answer set containing the literals A and B 
(i.e., represented by a and b). 


7 Conclusion 


We have shown how the approach of Brewka and Eiter, both with respect to extended 
logic programs [3] and to default logic [4], can be expressed in our general framework 
for preferences [6, 8]. On the one hand, this illustrates the generality of our framework; 
on the other hand, it sheds light on Brewka and Eiter’s approaches, since it provides a 
translation and encoding of their approaches into extended logic programs and default 
logic, respectively. As well, our encoding allows a straightforward implementation of 
[3] via a translation into extended logic programs. 

Lastly, we note that our approach described in [8] used dynamic preference informa- 
tion, in that preferences were expressed within a logic program. As well, in the case of 
default logic, [6] also describes the incorporation of dynamic preferences. Thus in these 
approaches, preferences can be encoded as holding only in specific contexts, holding 
by default, and so on. Such a dynamic setting was also sketched in [4]. It is a straight- 
forward matter to extend Definitions 10 and 11 to handle this dynamic case as well. 
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Abstract. We present a framework for decision making with the possibility to 
express circumstance-dependent preferences among different alternatives for a 
decision. This new formalism, Ordered Choice Logic Programs (OCLP), builds 
upon choice logic programs to define a preference/specialization relation on sets 
of choice rules. We show that our paradigm is an intuitive extension of both 
ordered logic and choice logic programming such that decisions can comprise 
more than two alternatives which become only available when a choice is actu- 
ally forced. The semantics for OCL programs is based on stable models for which 
we supply a characterization in terms of assumption sets and a fixpoint algorithm. 
Furthermore we demonstrate that OCLPs allow an elegant translation of finite ex- 
tensive games with perfect information such that the stable models of the program 
correspond, depending on the transformation, to either the Nash equilibria or the 
subgame perfect equilibria of the game. 


1 Introduction 


Preferences among defaults or alternatives play an important role in nonmonotonic rea- 
soning, especially when modeling the complex way people reason in every day live. In 
case of conflict, humans prefer the default or alternative which provides more reliable, 
more specific or more important information. 

For the last two decades, a lot of research in the nonmonotonic reasoning community 
has concentrated on bringing preference into the different paradigms: for example logic 
programming ([6,9,12]), extended logic programming ([3]), extended disjunctive logic 
programming ([1]) and prioritized circumscription ([7]). We will discuss some of these 
systems in more detail later on in this paper when we compare them to our approach. 
These systems have demonstrated their usage in a wide variety of applications like law, 
object orientation, model based diagnosis or configuration tasks. They are especially 
suitable for working with exceptions to defaults. 

In this paper we present a formalism that enables us to reason about decisions with 
more than two alternatives where the preference between alternatives depends on the 
situation. The systems mentioned above do not support such dynamic preferences: they 
either use the preferences when the model is already being computed, which means that 
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the decisions are already made, or they only support preferences between rules with op- 
posite consequences, leaving out the possibility to have decisions with more than two 
alternatives. Another problem of the latter type of systems is that the alternatives (i.e. 
complementary literals) are fixed even before writing the program. We feel that alterna- 
tives should emerge only when a choice between them is required. Let us illustrate this 
with the following example. 


Example I (Tommy’s Birthday). Today it is Tommy’s birthday. Six years old, time goes 
fast. To celebrate this, his mother agreed to invite some of his friends over for a party. 
Sitting in his room he is dreaming about his own private party: “A huge birthday cake 
with lots of candles, of course not forgetting the icing. Lots of candy and biscuits. 
We just have to make sure that there is plenty, you can never have enough treats. But 
no matter what, there definitely has to be that big cake. Hopefully my mum will let 
me decide, that way I can have everything my heart desires. I know that if she starts 
interfering, she will force me to choose. That is what mums always do.” 

Intuitively, one would expect two possible outcomes for this party: 


— Tommy’s Birthday, Tommy is planning, Tommy and his friends having cake, bis- 
cuits and candy. 

— Tommy’s Birthday, Tommy’s mother does the planning, Tommy and his friends 
only having cake. 


Thus, in the first solution cake,biscuit and candy are not considered alternatives of 
which only one has to be selected, while in second they are because Tommy’s mother 
forces him to make this difficult choice. 

To allow this kind of reasoning, two things need to be added to logic programming. 
First of all we need a mechanism to represent the possible decisions. As argued in [4,5], 
choice logic programs are an intuitive tool to represent conditional decisions, as the 
semantics make sure that only one alternative is chosen. Thus, choice logic programs 
will be the fundaments on which we build our new formalism. Now only a mechanism 
for denoting preference/order amongst different alternatives is missing. To this end, we 
will use a generalization to multiple alternatives of the ideas behind Ordered Logic [6]. 
Our formalism, called Ordered Choice Logic Programs, defines a partial order amongst 
choice logic programs, called components. Each component inherits, like in object ori- 
entation, the rules of the less specific components. Normal model semantics is used 
until alternatives for the same decision are in conflict. Then, the most specific alterna- 
tive is decided upon. 

These extensions offer a new view point to the above mentioned application domains. 
For example it is possible to reason about which method overrides the others in a sub- 
classing chain, where with the previous systems one could only detect whether a method 
was overridden or not. Also applications in AI & law can be envisaged: e.g. lawyer can 
work out a whole strategy by taking into account the possible actions of the other par- 
ties. 

We are also able to add a new application domain to this list: Game Theory![8]. We 
will show that ordered choice logic programs are capable of naturally representing fi- 
nite extensive games with perfect information such that the stable models of the former 


' Game Theory has proven its usefulness in domains such as economics and computer science. 
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correspond with, depending on the transformation, either the Nash equilibria or the 
subgame perfect equilibria of the latter. 

The outline of the rest of the paper is as follows: In Sect. 2 we introduce ordered 
choice logic programs. The stable model semantics for such programs is presented in 
Sect. 3. Sect. 4 is used for discussing an application in game theory while Sect. 5 com- 
pares ordered choice logic programs with some alternative approaches. 


2 Ordered Choice Logic Programs 


The basis of Ordered Choice Logic Programs are, as the name already might have indi- 
cated, choice logic programs[4,5]. 

We identify these choice logic program with their grounded version, i.e. the set of all 
ground instances of its clauses. This keeps the program finite as we do not allow func- 
tion symbols (i.e. we stick to datalog). 


Definition 1 ((4,5]). A Choice Logic Program, CLP for short, is a finite set of rules of 
the form A — B where A and B are finite sets of atoms 


Intuitively, atoms in A are assumed to be xor’ed together while B is read as a con- 
junction (note that A may be empty, i.e. constraints are allowed). In examples, we often 
use “”’ to denote exclusive or, while “,” is used to denote conjunction. 

The Herbrand Base and interpretations for a choice logic programs are defined in 


the usual way, except that we will only consider total interpretations in this paper. 


Definition 2 ((4,5]). Let P be a CLP. The Herbrand Base of P, denoted Bp, is defined 
as the set of all atoms appearing in the program. An interpretation I is any subset of 
the Herbrand Base of P, i.e. I © Bp. Anatom in I is assumed to be true while an atom 
in Bp \ I is considered false. We denote the set of all false atoms wrt I as I. 


Definition 3. An Ordered Choice Logic Program, or OCLP., is a pair (C, =<) where 
C is a finite set of choice logic programs, called components, and “=” is a partial 
order on C. In this paper we assume that C contains a minimal element C', such that 
Cy. =< X forall X © C. Furthermore, we assume that a rule appears in at most one 
component of C?. 


For two components C, C2 € C, C, ~< C>2 implies that C2 contains more general 
information than C13. Also [A, B] is used to denote the set {X | A < X = B}. Simi- 
larly, [A, B[ denotes the set {X | A <x X ~ B}. 

Throughout the examples, we will often represent an OCLP P by means of a directed 
acyclic graph (dag) in which the nodes represent the components and the arcs the rela- 
tion “~<”. 


? This is only a technical restriction that considerably simplifies the notation. 
> As usual, “~<” denotes the restriction of “<” to all the pairs of distinct components. 
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P; ° birthday — 


P. candy <— birthday 
2 biscuits — birthday 


Ps ° cake — birthday 


P QC me ® mother — 
? biscuits ® candy ® cake mother 


Fig. 1. Tommy’s Birthday Dream. 


Example 2. Tommy’s Birthday dream can easily be translated into the OCLP depicted 
in Fig. 1 where the choice rules in Py correspond with Tommy specifically knowing 
that either he or his mother will do the organization and that in case his mother will be 
in charge, he will be forced to choose between all the goodies. The order, together with 
the rules of Pz and P3, expresses that Tommy is more in favor of cake than any of the 
other treats. Finally P; introduces the general fact that it is Tommy’s birthday. 


As more specific components “inherit” the rules from more general components, 
we also need, when defining an interpretation, to consider the atoms mentioned in those 
less specific parts. 


Definition 4. Given an OCLP P and a component A € C of P. An interpretation for 
P in A is any interpretation of A*, where A* denotes the CLP {r |r € BE Cand A X 
B}. An interpretation for P is called global if it is an interpretation in C,. 

We say that a rule r is applicable in I if B, © I+ and that r is applied in I if r is 
applicable and |H,. I| = 1°. 


We argued in the introduction that choice rules represent a choice between the head 
elements once the precondition, the body, is satisfied (e.g. the rule is applicable). From 
that moment on, we can consider those elements as alternatives. With this we can define 
the alternatives for an atom a from a viewpoint B known in a specific component A, 
called horizon, as those atoms that appear together with a in the head of an applicable 
choice rule in a component C’ at least as specific as B but not more so than A (e.g. 
C ¢€ |[A, B)). 


Definition 5. Let P be an OCLP, let A, B € C be components of P and let I be an 
interpretation in A. For any rule r € A*, we use c(r) to denote its component. The set 
of all alternatives for an atom a € By in |A, B], wrt I, denoted Qa. By (a), is defined 
as: 


24 p(a) = {b| Sr € A*-c(r) € [A,B] A Bp CI A a,b € H, witha Fb} . 


4 Forarule r= Q <— R, we use H,, to denote its head Q while B,. denotes its body R. 
5 | A] denotes the number of elements in the set A. 
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Now we are in a position to demonstrate that OCLPs are really dynamic when con- 
sidering the alternatives for a decision. 


Example 3. Reconsider Tommy’s Dream OCLP of example 2. Let J and J be the fol- 
lowing global interpretations: J = { birthday, me} and J = { birthday, mother} The 


set of alternatives for biscuit in [C_, P2] wrt I equals: Qo, Pal biscuit) = 0, while 


the one wrt J is 2G, p,) (biscuit) = {cake, candy}. In words, this means that biscuits 
is not part of any decision when considering J, while it is if you are using J instead. 


Deciding upon different alternatives can vary depending on the one who is making 
the decision or on the kind of decision. In all cases, when one alternative is preferred 
over all others, the choice is easily made: you simply take that alternative and leave out 
the others. But what happens if some alternatives are equally preferred (or incompara- 
ble)? One possible way of dealing with this dilemma is just making an objective choice 
between those alternatives. In this case, one is at least sure that there is a solution to the 
problem. This is the credulous® way of looking at the world. 

In this context we say, intuitively, that a rule is defeated if there exist(s) some applied 
rule(s) containing head alternatives that are not less preferred than the ones defeated in 
the head of the defeated rule. 


Definition 6. Let P be an OCLP, let A € C be a component of P and let I be an 
interpretation in A. A rule r € A* is defeated in A wrt I iff 


Va € H,- ar’ € A*-c(r) Kc(r’) Ar’ is applied \ Hy C Qa e(ry|(@) : 


The rules r’ are called defeaters. 


The following two examples illustrate the two possible ways that a rule can be 
defeated: a rule can either be defeated by a single rule containing only alternatives for 
each head element, or by a number of rules containing only alternatives for some of the 
head elements, but together they offer alternatives for the whole lot. 


Example 4. Consider the following OCLP (C, =) with: 
Prirpiac Py: 72: 480 P3: 73:0 


such that C = {P,, Po, P3} and P3; < Py < P,. Let I = {b} be an interpretation in 
P3. For this interpretation, the rule 7; is defeated by the more specific rule rz as a has a 
more specific alternative b, due to the more specific rule r2. 


® There exists also a more skeptical way of facing alternatives that are equally preferred or in- 
comparable. Whereas in the credulous approach a choice between the alternatives is acceptable, 
one remains undecided in the skeptical one. Although most results in this paper also hold for 
the skeptical semantics, we will only use the credulous approach in this paper. 
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Example 5. Consider the following OCLP (C, =) with: 
Pyiry:aSGbe Py: 12:4 P3:73:b— 


such that C = {P,, Po, P3}, P3 < P2 and P; < P,. Assume the global interpretation 
I = {a,b}. The atoms a and 6 are alternatives of each other in [P,, Pi] wrt J and re 
and rz together defeat r; in P3 wrt I Notice also that r3 does not defeat rz, as a and b 
are no longer alternatives in [P3, P2]. 


A model for a program P in a component A is an interpretation that satisfies every 
rule in one way or another. We extend the usual satisfaction criteria for choice logic 
programs with the possibility that rules may also be defeated in order to be satisfied. 


Definition 7. Let P be an OCLP and let A € C be a component of P. An interpretation 
I in Ais amodel in A iff every rule in A* is either not applicable, applied or defeated 
in A wrt I. A model is global iff it is a model in C,. 


Example 6. The program of example 2 has two global models, which correspond to the 
intuition given in example 1, namely: M, = {birthday, candy, biscuits, cake, me} 
and M> = { birthday, cake, mother}. 


Facing a decision, one expects that, for obtaining a solution (model), a choice has 
to be made among the available alternatives. 


Proposition 1. Let P be an OCLP and let M be amodel for P ina component A € C. 
For every applicable rule r € A*: 


Va € Hy: a € MV (Ab € QM apy (a) -b € M) 


3 The Stable Model Semantics 


The simple semantics presented in the previous section is not always intuitive, as is 
illustrated by the following example. 


Example 7. Consider the following OCLP P: 


Py: a@be Py:a<—b 


bea 


with Pp ~ P,. 
This program has a single global minimal model M = {a, b}. Note that the presence of 
either a or b in M depends on the application of the defeated rule a 6 b ~. 


In this section, we will present the so-called stable model semantics which, while 
preserving minimality, will prevent unnatural models such as the one in example 7 

Just as stable models for “normal” logic programs and disjunctive logic programs, 
our stable models are based on the notion of a Gelfond-Lifschitz transformation. 


A Logic for Modeling Decision Making with Dynamic Preferences 397 


Definition 8. Let M be an interpretation for an OCLP P in a component A. We define 
the Gelfond-Lifschitz transformation for P in A wrt M, denoted P™, as the positive 
logic program with constraints obtained from A* in the following way: 


1. remove all defeated rules from A*, 

2. remove all false atoms from the head of the remaining rules with more than one 
atom in the head, 

3. replace all rules r with more than one head atom with constraint rules: for each 
such rule r where a,b € H, and a # b, we add a constraint 


— B,,a,b . 


The introduction of constraints is necessary to assure that a non-defeated applicable 
choice rule with more than one head atom will be properly satisfied (i.e. only one head 
atom must be considered true). 

Stable models for a program are then minimal models of the program obtained from 
applying the Gelfond-Lifschitz transformation. 


Definition 9. Let M be an interpretation for an OCLP P in a component A. M is 
called a stable model for P in A iff M is a minimal model for the positive logic program 
PM, 


In example 6, both 7; and Mz are stable. 
The next theorem confirms our earlier claim that the stable model semantics restricts 
the minimal model semantics. 


Theorem 1. Let M be a stable model for an OCLP P in a component A. Then, M is 
minimal model for P in A. 


The reverse is not true, as illustrated by the following example. 


Example 8. Consider the program P from example 7 which has a unique minimal 
model M = {a,b} in Py. Applying the Gelfond-Lifschitz transformation on P in P» 
yields 


This program has as a minimal model § 4 M, so M is not stable. 


Looking back on example 7, we note that, for the minimal model M = {a, b}, at 
least one atom must have been produced only by a defeated rule. Intuitively, such atoms 
can be considered assumptions, because they lack a proper motivating rule to introduce 
them. The following definition makes this intuition more precise. 


Definition 10. Let I be an interpretation for an OCLP P in a component A. A set 
X C Bzy« is called an assumption set wrt I iff for each a € X one of the following 
conditions is satisfied: 


1. 
2. 


=(a@A+ B)€ A*-BCIAANTI FDA r is not defeated in A wrt I; or 
=(<- B,a)-BCT;or 


r 
r 


Ww WwW 
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3. Vr € A* where a € H,, one of the following conditions holds: 
(a) B, g I; or 
(b) B.A X #0; or 
(c) r is defeated in A wrt I; or 
(d) H,NB, #9. 


The set of all assumption sets for P in A wrt I is denoted Ap (1). The greatest as- 
sumption set for P in A wrt I, denoted GAS p, 4(J), is the union of all assumption sets 
for Pin Awrt I. 


The first condition in Definition 10 expresses that, if there exists a non-defeated appli- 
cable rule with already a true atom in the head, then the interpretation does not need a 
to become/maintain a model. The second condition says that, if a constraint contains, 
besides the element one is considering, only true atoms, one should not assume that 
element to be true as well. The last condition states that if every rule with a in the head 
is either not applicable, defeated, containing assumptions in the body or sharing atoms 
both in the head and the body, then we know that the atom a is not involved in making 
the interpretation into a model. 
The greatest assumption set is an assumption set. 


Proposition 2. Let I be an interpretation for an OCLP P in a component A. Then, 
GAS pa) € Apja(/). 


Assumption sets can be used to eliminate candidate models. 


Proposition 3. Let M be a model for an OCLP P in a component A. Then M is an 
assumption set, i.e. M € Ap, 4(M). 


Checking the assumption-free property can be quite time consuming when one 
needs to verify every subset of 64+. The following proposition implies that there is 
an easier way. 


Proposition 4. Let I be an interpretation for an OCLP P in a component A. I is 
assumption-free, i.e. INGAS p\4(I) = 0, iffno non-empty subset of I is an assumption 
set for Pin Awrt I. 


Assumption sets characterize stable models. 


Theorem 2. Let M be a model for an OCLP P in a component A. Then, M is stable 
iff M is assumption-free for P in A wrt M, i.e. MNGAS py 4(M) = 9. 


For choice logic programs we have that minimal models are unfounded-free, which 
equals assumption-free when the interpretation is total. For OCLP, this can no longer 
be maintained. A counter example was presented in example 7: the minimal model 
{a, b} is not assumption-free (i.e., {a, b} € Ap({a, b})). 

Assumption sets are also useful to compute stable models: Fig. 2 contains a sketch 
of a backtracking fixpoint procedure BF such that BF(Q) generates all stable models (in 
the component A). 
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procedure BF(I :set<atom>) { 
set<atom> X = GAS pjj(J) 


if (XN1I)40 
fail 
if (X =T) 
I is a stable model 
else { 
set<rule> R= {r |r € A* applicable and not defeated and H, I = 0} 
set<atom> J={a|acH-Are RAag€ X} 
for each a € J 
BF(IU {a}) 
} 
i 


Fig. 2. Computing stable models 


4 An Application to Finite Extensive Games with Perfect 
Information 


In this section we give a brief and informal overview of extensive games with perfect 
information ([{8]) and demonstrate in more detail how OCLP’s can be used to retrieve 
the games’ equilibria from the transformed programs. 

An extensive game is a detailed description of a sequential structure representing 
the decision problems encountered by agents (called players) in strategic decision ma- 
king (agents are capable to reason about their actions in a rational manner). The agents 
in the game are perfectly informed of all events that previously occurred. Thus, they 
can decide upon their action(s) using information about the actions which have already 
taken place. This is done by means of passing histories of previous actions to the decid- 
ing agents. Terminal histories are obtained when all the agents/players have made their 
decision(s). Players have a preference for certain outcomes over others. Often, prefe- 
rences are indirectly modeled using the concept of payoff where players are assumed to 
prefer outcomes where they receive a higher payoff. 

Summarizing, a game is 4-tupple, denoted (N, H, P, (>i)ien), containing the players 
N of the game, the histories H, a player function P telling who’s turn it is after a certain 
history and a preference relation >; for each player 2 over the set of terminal histories. 
For examples, we use a more convenient representation: a tree. The small circle at the 
top represents the initial history. Each path starting at the top represents a history. The 
terminal histories are the paths ending in the leafs. The numbers next to nodes repre- 
sent the players while the labels of the arcs represent an action. The number below the 
terminal histories are payoffs representing the players’ preferences (The first number is 
the payoff of the first player, the second number is the payoff of the second player, ...). 


Example 9. Two people use the following procedure to share two desirable identical 
objects. One of them proposes an allocation, which the other either accepts or rejects. 
In the event of rejection, neither person receives either of the objects. 

An extensive game with perfect information , (NV, H, P,(>:)ien), that models the in- 
dividuals’ predicament is shown in its alternative representation in Fig. 3. 


400 Marina De Vos and Dirk Vermeir 


2,0 0,0 1,1 0,0 0,2 0,0 


Fig. 3. The Sharing-an-Object game of example 9. 


A strategy of a player in an extensive game is a plan that specifies the actions chosen 

by the player for every history after which it is her turn to move. A strategy profile 
contains a strategy for each player. E.g. ((2, 0), yyy) is a strategy profile where the first 
player intends to take both objects and the second player plans to accept (indicated by 
“y”) any of the three possible proposals from the first player. 
The first solution concept for an extensive game with perfect information ignores the 
sequential structure of the game; it treats the strategies as choices that are made once 
and for all before the actual game starts. A strategy profile is a Nash equilibrium if no 
player can unilaterally improve upon his choices. Put in another way, given the other 
players’ strategies, the strategy stated for the player is the best this player can do’. 


Example 10. The extensive game with perfect information of example 9 has nine Nash 
equilibria: ((2,0), yyy), (2,0), yym), ((2,0), yny), (2,0), ynm), (1, 1), nyy), 
(1,1), nym), ((0, 2), nny), (2,0), nny), ((2,0), nnn) . 


The following transformation will be used to retrieve the Nash equilibria from the 
game as the stable models of the corresponding OCLP. 


Definition 11. Let (N, H, P,(>i)ien) be a extensive game with perfect information. 
The corresponding OCLP P,, can be constructed in the following way: 


-C={C3U{CG, | HEN hE Z-u=U;(h)}; 

- C' <C, for all C,, € C; 

- VCu, Cw € C+ Cu ~ Cw iffu > w; 

- Whe (H\Z)-({a| hac H}-)eC; 

~Vh=haho €Z-a — BE C,, with B = {b € [h]® | h = hgbha, P(hs) # 
i} and u =Upyn,)(h) . 


The set of components consists of a component containing all the decisions that 
need to be considered and a component for each payoff. The order amongst the compo- 
nents is established according to their represented payoff (higher payoffs correspond to 
more specific components) with the decision component at the bottom of the hierarchy 


7 Note that the strategies of the other players are not actually known to i, as the choice of strat- 
egy has been made before the play starts. As stated before, no advantage is drawn from the 
sequential structure. 

8 We use [h] to denote the set of actions appearing in a sequence h. 


A Logic for Modeling Decision Making with Dynamic Preferences 401 


be no acny, 
acn b-— no 
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y3 B ng — ¥3 0 N23 — 

P; Ps 


Fig. 4. The corresponding P,, and P; OCLPs of the extensive game with perfect infor- 
mation of example 9. 


(the most specific component). Since Nash equilibria do not take into account the se- 
quential structure of the game, players have to decide upon their strategy before starting 
the game, leaving them to reason about both past and future. This is reflected in the 
rules: each rule in a payoff component is made out of a terminal history (path from top 
to bottom in the tree) where the head represents the action taken when considering the 
past and future created by the other players according to this history. The component 
of the rule corresponds with the payoff the deciding player would receive in case the 
history was carried out. 


Example 11. Reconsider the Object-sharing game of example 9. The corresponding 
OCLP P,, is depicted on the left side of Fig. 4°. This program P,, has nine stable models 
which exactly correspond with the nine Nash equilibria of the game. 


In the next theorem we show that there is indeed a correspondence between Nash 
equilibria and stable models. 


Theorem 3. Let G = (N,H, P,(>i)ien) be a finite extensive game with perfect in- 
formation and let P,, be its corresponding OCLP. Then, s* is a Nash equilibrium for G 
iff s* is a global stable model for Py. 


Although the Nash equilibria for an extensive game with perfect information are 
intuitive, they have, in some situations, undesirable properties due to not exploiting the 
sequential structure of the game. These undesirable properties are illustrated by the next 
example. 


°? To make the graph more readable we renamed the actions (2,0), (1, 1) and (0, 2) as respec- 
tively a, b and c. We also labeled the responses of the second player to make the choices 
disjoint. 
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Child 


Parent 


1,2 Not Punish 


0,0 2,1 


Fig. 5. The Child-Parent game of example 12. 


Example 12. The game in Fig. 5 has two Nash equilibria: (Good, Punish) and (Bad, Not 
Punish), with payoff profiles (1,2) and (2,1). The strategy profile (Good, Punish) is an 
unintuitive Nash equilibrium because given that the Parent chooses Punish after history 
Bad, it is optimal for the Child to choose Good at the start of the game. So the Nash 
equilibrium is sustained by the “threat” of the Parent to choose Punish if the Child is 
Bad. However, this threat is not credible since the Parent has no way to commit herself 
to this choice. Thus the Child can be confident that the Parent will Not Punish him 
in case he is Bad; since the Child prefers the outcome (Bad, Not Punish) to the Nash 
equilibrium (Good, Punish), he has thus the incentive to deviate from the equilibrium 
and choose Bad. We will see that the notion of a subgame perfect equilibrium captures 
these considerations. 


Because players are informed about the previous actions they only need to reason 
about actions taken in the future. This philosophy is represented by subgames. A sub- 
game is created by pruning the tree in the upwards direction. So, intuitively, a subgame 
represent a stage in the decision making process where irrelevant and already known 
information is removed. 


Example 13. The two subgames of the game presented in example 12 are depicted in 
Fig. 6. 


Child 


Good Bad 


Parent 
Dee a Punish 
Parent 


1,2 Punish Not Punish 0,0 21 
0,0 2,1 
(a) (b) 


Fig. 6. The subgames of the Child-Parent game of example 13. 


Instead of just demanding that the strategy profile is optimal at the beginning of the 
game, we require that for a subgame perfect equilibrium the strategy is optimal after 
every history. In other words, for every subgame, the strategy profile, restricted to this 
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subgame, needs to be a Nash equilibrium. This can be interpreted as if the players revise 
their strategy after every choice made by them or an other player. 


Example 14. The Child-Parent game of example 12 has one subgame perfect equili- 
brium, (Bad, Not Punish), corresponding to the non-credible threat of the Parent. 
The Object-sharing game of example 9 has two subgame perfect equilibrium : 


((2,0), yyy) and ((1, 1), nyy). 


The following transformation makes sure that subgame perfect equilibria corres- 
pond with the stable models of an OCLP. 


The corresponding OCLP Pz can be constructed as follows: 


Definition 12. Let (N, H, P,(>i)ien) be an extensive game with perfect information. 


-C={C3U{CG, | He N hE Z-u=U;(h)}; 

- C' XC, for all C,, € C; 

- VCu, Cw € C+ Cu ~ Cw iffu > w; 

- Whe (H\ Z)-({al| hae H}—)eCt; 

- Vh=hyahg € Z: P(hi) =i- (a - B) € C, with B= {b € [h2] | h= 
hgbha, P(hs) x i} and u = Upn,)(h) : 


This transformation is quite similar to the one for obtaining the Nash equilibria. 
The only difference between the two is the creation of history-dependent rules: since 
subgame perfect equilibria take the sequential structure into account, players no longer 
need to reason about what happened before their decision. They can solely focus on the 
future. 


Example 15. Consider once more the object-sharing game of example 9. The corre- 
sponding OCLP P, is show on the right side of Fig. 4. This P,; has the subgame perfect 
equilibria (a, yr y2y3) and (b, n1y2y3) as its stable models. 


tion and let P, be its corresponding OCLP. Then, s* is a subgame perfect equilibrium 
of G iff s* is a global stable model for P. 


Theorem 4. Let G = (N,H, P,(>i)ien) be a extensive game with perfect informa- 


Note that [10] proposes an alternative formalism to model strategic games using an 
extension of logic programming. However, in [10], the specification of choices is ex- 
ternal to the program while, in our approach, we rely on nondeterminism (and priority) 
to represent alternatives and on the properties of the stable model semantics to obtain 
equilibria. 


5 Relationships to Other Approaches 


5.1 Ordered Logic ([6]) 


Ordered logic programs are a special, also semantically, case of OCLP’s: all choices are 
restricted to 2 alternatives a and —a. This is confirmed by the following. 
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fly <— bird fly <— bird 
Py penguin — Pi penguin — 
Po bird — penguin Po bird — penguin 


afly — penguin 
P3 afly — penguin P3 fly B afly — 


(a) (b) 


Fig. 7. a) The Ordered logic version of the Penguin problem. b) The corresponding 
Penguin OCLP Pp, wrt component P3. 


Proposition 5. Let P = (C, =) be an ordered logic program in the sense of [6] and let 
A € C be acomponent for it. The corresponding OCLP P, with respect to A equals 
(C’, <) where: 


C"={BeEC|BAASU{AU {a G74 | a,7a € Byx}} . 
An interpretation I in A is a model for P in A iff I is a model for Pa in A. 
We illustrate this construction with the following well-known example: 


Example 16 (Tweety, the penguin). The left side of Fig. 7 depicts the ordered logic 
program for the problem. The right hand side gives the corresponding OCLP wrt to 
component P3;. Both programs have only one model in component P3, namely M = 


{ bird, fly, penguin}. 


5.2 Other Approaches to Preference 


Dynamic preference in extended logic programs is introduced in [3] in order to obtain a 
better suited well-founded semantics. Although preferences are called dynamic they are 
not dynamic in our sense. Instead of defining a preference relation on subsets of rules, 
preferences are incorporated as rules in the program. Moreover, a stability criterion 
may come into play to overrule preference information. Another difference with our 
approach is that the alternatives are static. 

A totally different approach is proposed in [12]. Here the preferences are defined 
amongst atoms. Given these preferences, one can combine them to obtain preferences 
for sets of atoms. Defining models in the usual way, the preferences are then used to 
filter out the less preferred models. That way, this system is not convenient for decision 
making as the preferences cannot easily be made to depend on the situation. 

In [1], preference in extensive disjunctive logic programming is considered. As far 
as overriding is concerned the technique corresponds rather well with our skeptical 
defeating, but alternatives are fixed as an atom and its (real) negation. 

Outside the context of logic programming, [2] proposes to add priorities to the ob- 
ject language of default logic. Extensions are then required to be compatible with this 
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information. OCLP and [2] support different intuitions on the notion of priority, as 
shown by the following example”: 


Example 17. 


Pp:ac Py: 7G — 
P3:c—a Py: e@rc eH 


with P; < P3; < P: < P,. With our approach, we obtain {a, c} as the (stable) model 
of this program while [2] returns {a,c} as the extension for the default theory. [2] 
considers the knowledge of a coming from a more general rule insufficient (the rule 
from P,) to favor the rule from P, over the one from P3. We , and also [11], prefer to 
say that there is no counter evidence for a so we should exploit this knowledge as much 
as possible. 
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